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Appendix A: Samples extracted from Telenor intrusion 


00bd9447cl1l3afbbb7140bef94e24b535, 
02d6519b0330a34b72290845e7ed16ab, 
05c983831cad96da01a8a78882959d3e, 
10d8d691lec5c75be5dbab876d39501f1, 
1579467859b48085bdf99bV0ala8cl1f86, 
1676ded041404671bfblfcfe9db34dcf, 
21a52fedba7d5£4080a8070236f24a81, 
3eddb4a2c42Vebba246ba2fa22dbdc50, 
6labb92f0fab605c62dab334c225ef770, 
6367c72ef246798c2e8153dd9828elfa, 
82837a05f8e000245f06c35e9ddc3040, 
85ce84970182be282436317ebc310c8e, 
98ce593bfaeddbbbe056007525032e0d, 
9d724c66844d52397816259abdf58cea, 
a25d1e14498dd60535c5645ed9f 6488, 
bd52237db47ba7515b2b7220ca64704e, 
bfd2529e09932ac6cal8c3aaff55bd79, 
ca26ca59bafa3ae727560cd31a44b35d, 
ecc8b373e61a01d56£429b2bd9907e09, 
edc4bdfd659279da90fcT7eab8a4cb6de3, 
£21ca71866a6484a54cd9651282572fd, 


msupl.exe 
conhosts.exe 
svcohst.exe 
cpyf.exe 
splitter.exe 
msspr.exe 
taskbase.exe 
vemm.d1ll 
winhost.exe 
waulct.exe 
srsr.exe 
msiep.exe 
msspr.exe 
vmec.dll 
oprs.exe 

few important operational documents.doc.exe 
windwn.exe 
winsvcr.exe 
chrm.exe 
zfscu.dll 
vtlp.dll 
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Appendix B: Some related cases based on behaviour and malware 
similarity parameters. 


Name: “Pending_Electricity_Bill_(December-January).pdf.exe”, 

MD5: 681757936109f7c6e65197fdbb6a8655 

Content: Pending Electricity_Bill_(December-January).pdf 

Content: wincert.exe 

C&C:  chkpoint.info 

Name: “Horsemeat_scandal_another_lIrish_company_suspends_burger_production.exe“ 
MDS: f52154ae1366ae889d0783730040ea85 

Content: Horsemeat_scandal_another_lrish_company_suspends_burger_production.docx 
Content: wincert.exe 

C&C: —chkpoint.info 


Name: Unknown 

MDS: f8b0e04506e57bfa2addade04e9a93d4 
Content: “Indian_Involvement_in_Afghanistan.pdf” 
Content: smsss.exe 

Content: systems.exe 

Content: csrsss.exe 

Content: test.vbs 

Content: start1.bat 

C&C: — sonification.com 


Name: important.doc.exe 

MDS: a7a223cebe5d89aa2d36864cb096b1b3 
Content: important.doc 

Content: smsss.exe 

Content: exploer.exe 

Content: ims.exe 

Content: test.vbs 

Content: start1.bat 

C&C: sonificaton.com; researcherzone.net; 


Name: Unknown, probably “ENRC__DEBT__INVESTORS__2012__for__your__Reference.exe” 
MDS: e40205cba4e84a47b7c7419ab6d77322 

Content: “ENRC__DEBT__INVESTORS__2012__for__your__ Reference.docx” 

Content: cftmont.exe 

C&C: macsol.org; openhostingtalk.com; 


Operation Hangover. Unveiling an Indian Cyberattack Infrastructure 
Appendixes 


Name: Unknown, probably “Deatils_for_the_ENRC_Board_Meeting_X1098977e79.exe” 
MDS: a5a740ce2f47eada46b5cae5facfe848 

Content: “Deatils_for_the ENRC_Board Meeting X1098977e79.docx” 

Content: acsrsss.exe 

C&C: — systoolsonline.org 


Name: “Parminder bansil fraud with Nucleus software Full details.exe” 
MDS: a7b5fce4390629f1756eb25901dbe105 

Content: scan.docx 

Content: winsvcr.exe 

Content: wincert.exe 

Content: wins.vbs 

C&C: skylarzone.org; onlinestoreapp.net; 


” 


Name: “Reliance limited sustantibility issues full report 576676y8778.exe 
MDS: 0d5956dac2ac56f292ee8fa121450973 

Content: Details.docx 

Content: wauclt.exe 

Content: wincerrt.exe 

Content: wins.vbs 

C&C: competitveedge.org; crystalrepo.org; 


Name: update112.exe 

MDS: 66203f184e4fdb004c0d24ede011ce6e 
Content: msnger.exe 

Content: igfxtrye.exe 

C&C: wearwellgarments.eu; mysharpens.com; 


Name: hp.exe 

MDS: 74e571f9accf9felb4ea6ee0e02a5180 
Content: Mendhar.doc 

Content: isass.exe 

C&C: forest-fire.com 
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Name: Unknown 

MDS: 0f65c1202881f5c0e3d512aa64162716 
Content: 20120316.pdf 

Content: update.exe 

Content: alg.exe 

C&C:  forest-fire.com; mailtranet.com; 


Name: Unknown, probably “Details_for_the_ENRC_Board_Meeting X10FR333_2012.exe” 
MDS: 2895a9bOcf22cd45421d634dcO0f68db1 

Content: Details _for_the ENRC_ Board Meeting X10FR333_2012.docx 

Content: avcsrss.exe 

C&C: ezservicesenter.org; casinoaffiliatepartners.net; 


Name: Unknown, probably “McKinsey_Quaterly_Newsletter_2012 .exe” 
MDS: 602f66b23b55dd2a22cd84e34c5b8476 
Content: McKinsey_Quaterly_Newsletter_2012 .docx 


Content: cfmon.exe 
C&C: casinoaffiliatepartners.net; openhostingtalk.com; 


Name: important.exe 

MDS: a1cad6b71ab30577ea8e204fab01ed47 
Content: imprtant.jpg 

Content: snmse.exe 

C&C: —cryptoanalysis.net 


Name: Unknown, probably “Detail_description_of_ferro_chrome_silicon_and_ferro_chrome.exe” 
MDS: 2102a18dc20dc6654c03e0e74f36033f 

Content: Detail_description_of_ferro_chrome_silicon_and_ferro_chrome.docx 

Content: ctmon.exe 

C&C: macsol.org 


Name: webmailapp.exe 

MDS: 22a3a1d5a89866a81152cd2fc98cd6e2 
Content: Ink.bat 

Content: jre.exe 

Content: dwm.exe 

C&C: mobnetserver.com 
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Name: exploer.exe, winl.exe, lasss.exe 
MDS: 634e4c640c4d7845a88faa5e0838ec0e 
Content: winword.exe 

Content: ssmss.exe 

C&C: matrixfanclub.net 


Name: Unknown 

MDS: FFC2C9969B6A3B27FF96B926E9A6C18A 
Content: ssmss.exe 

Content: spoolsv.exe 

C&C: follow-ship.com 

Name: Unknown, probably “Taliban target creator, blow up ISI jihad lab.doc.exe” 
MDS: E14B7985764E737333D531DAABF55970 
Content: Taliban target creator, blow up ISI jihad lab.doc 
Content: winword.exe 

Content: csres.exe 

Content: svchost.exe 

C&C: redgolfclub.info 


Name: Unknown, probably “MIRZAGHALIB....... IN2011.doc.exe” 
MDS: 0680B9E247B2779799D4B32582F566C8 

Content: MIRZAGHALILB....... IN2011.doc 

Content: CSRSSS.exe 

Content: SMSSS.exe 

Content: start1.bat 

Content: SYSTEMSS.exe 

Content: test.vbs 

C&C: sonificaton.com 


Name: “agni5_inda's_deadliest_ballistic_nuclear_missile.exe” 
MDS: 06E80767048F3EDEFC2DEA301924346C 

Content: 1.pdf 

Content: csrsss.exe 

Content: dectop. ini 

Content: Isasss.exe 

Content: start.bat 

Content: start1.bat 

Content: test.vbs 
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Appendix C: Malware string indicators. 


Text strings found inside malware. 


HANGOVER 1.2.2 (C++ uploader) 


Unable to load conf 

Drives are: 

%e:/ 

Could not upload file... 

encrypted 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 
]Tfufss/mph 

Uploading files to web server... 

Source Directory: 

%d out of %d uploaded 

IMAGE 

Dec: Couldn't open file: 

enc_ 

Dec: Couldn't create file: 

7kmL| | HHt98jdf4z#F1+25jf7+3MIG 

Enc: Couldn't open file: 

Enc: Couldn't create file: 

Couldn't open source : 

MBVDFRESCT 
90B452BFFF3F395ABDC878D8BEDBD152 

Excep while up %s: %s 

Content-Type: multipart/form-data; boundary=%s 
--%S 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 

Content-Transfer-Encoding: binary 
Content-Disposition: form-data; name="submit" value="submit" 
Bo; ces 

{CAF1C46F-D91d7-C912F7F4F609} 

WINAPP 

[CryptProvider::Enc] Unable to encrypt data: 
[CryptProvider::Enc] Unable to decrypt data: 
[ProvHandle::ProvHandle] Unable to create provider: 
Microsoft Enhanced Cryptographic Provider v1.0 
[CrypHash::CryptHash] Unable to create hash: 
[CryptKey::CryptKey] Unable to create key: 

E:\My\lan scanner\Task\HangOver 1.2.2\Release\Http_t.pdb 
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HANGOVER 1.3.2 (C++ uploader) 


Unable to load conf 

Drives are: 

%e:/ 

Could not upload file... 

encrypted 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 
]Tfufss/mph 

Uploading files to web server... 

Source Directory: 

%d out of %d uploaded 

IMAGE 

Dec: Couldn't open file: 

enc_ 

Dec: Couldn't create file: 

7kmL| | HHt98jdf4z#F1+25jf7+3MIG 

Enc: Couldn't open file: 

Enc: Couldn't create file: 

Couldn't open source : 

MBVDFRESCT 

90B452BFFF3F395ABDC878D8BEDBD152 

Excep while up %s: %s 

Content-Type: multipart/form-data; boundary=%s 

-%S 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 

Content-Transfer-Encoding: binary 

Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 
/c xcopy 


y IY 


open 

yahoo 

windows dirctory 

{AHAn4T-TRAH-P112F7110903} 

WINAPP 

[CryptProvider::Enc] Unable to encrypt data: 
[CryptProvider::Enc] Unable to decrypt data: 
[ProvHandle::ProvHandle] Unable to create provider: 
Microsoft Enhanced Cryptographic Provider v1.0 
[CrypHash::CryptHash] Unable to create hash: 
[CryptKey::CryptKey] Unable to create key: 
D:\Monthly Task\September 2011\HangOver 1.3.2 (Startup)\Release\Http_t.pdb 
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HANGOVER 1.5.3 (C++ uploader) 


%e:/ 

%userprofile% 

encrypted 

\sample2.txt 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 
]Tfufss/mph 

%d out of %d uploaded 

Ombohvbhf/qiq 

hvbhf 

/qiq 

tpojgjdbupo/dpn 

EMSCBVDFRT 
F390395ABFBD452BFFC87BE8D8DBD152 

Excep while up %s: %s 

Content-Type: multipart/form-data; boundary=%s 
-%s 


Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 

Content-Transfer-Encoding: binary 

Content-Disposition: form-data; name="submit" value="submit" 
mogces 

cmd 


open 
/cxcopy " 

" IY 

dekstop.ico 

EXE 

mozila 

windows dirctory 

{2FC02671-E810-48b3-96DE-C4284E94EFC9} 

WINAPP 

T:\final project backup\uploader version backup\HangOver 1.5.3 (Startup)\Release\Http_t.pdb 
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HANGOVER 1.5.4 (C++ uploader) 


%e:/ 
%userprofile% 

encrypted 

\sample2.txt 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 

]Tfufss/mph 

%d out of %d uploaded 

Onztibs/qiq 

hvbhf 

/qiq 

nztibsqfot/dpn 

EMSCBVDFRT 

F390395ABFBD452BFFC87BE8D8DBD152 

Excep while up %s: %s 

Content-Type: multipart/form-data; boundary=%s 

--%S 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 

Content-Transfer-Encoding: binary 

Content-Disposition: form-data; name="submit" value="submit" 
ais 
bad cast 
/c xcopy 


" IV 


open 
dektpMSI89.ico 

EXE 

mozilall 

windows dirctory 

{67FCO221-E016-48B3-8D9H-E894C854YF92} 

WINAPP 

T:\final project backup\uploader version backup\fud all av hangover1.5.4\with icon +shortcut link\HangOver 1.5.3 
(Startup)\Release\Http_t.pdb 
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HANGOVER 1.5.7 (C++ uploader) 


%e:/ 

%userprofile% 

encrypted 

%s%04d%02d%02d%02d%02d%02d.%s 

\nts.txt 

Uploaded file %s to web server 

Failed to upload file %s 

]Tfufss/mph 

%d out of %d uploaded 

tqbsl/qiq 

011c5v/dpn 

EMSFRTCBVD 

F39D45E70395ABFB8D8D2BFFC8BBD152 

Excep while up %s: %s 

Content-Type: multipart/form-data; boundary=%s 

-%S 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 

Content-Transfer-Encoding: binary 

Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

windows dirctory 

C:\Users\Yash\Desktop\New folder\HangOver 1.5.7 (Startup) uploader\Release\Http_t.pdblink\HangOver 1.5.3 
(Startup)\Release\Http_t.pdb 
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RON 2.00 (Appin) (C++ uploader) 


VERSIONTYPE{he3l4m5k2n4m5kgs8c9f9} 

Reg 

Write 

Option Explicit 

on error resume next 

Dim objShell, strRoot, strModify 

strRoot =" 

Set objShell = CreateObject("WScript.Shell") 
strModify = objShell. 

(strRoot," 

""REG SZ") 

strModify = null 

WScript.Quit 

ScheduledTime 

In OnTimer... 

Available drives are: 

%e: 

Could not upload file... 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 
%d out of %d files were successfully uploaded to server 
\Program Files 

\WINDOWS 

\Temp 

\Local Settings 

\Start Menu 

\Application Data 

\UserData 

\Cookies 

\Favorites 

\SendTo 

\NetHood 

\PrintHood 

\LocalService 

\NetworkService 

File Found %s 

Fail to find Write time of file %s 

Fail to Access file %s 

File %s is inserted in list 

File found with different Pattern 

Uploading files to web server... 
backup%Y%m%d%H%M%S 

Source Directory: 

\detail.txt 

Search Process Failed 

Started by timer 

Couldn't open source file: 

sendFile 

FFF3F395A90B452BB8BEDC878DDBD152 
access.php 

Exception occurred while uploading file %s: %s 
Content-Type: multipart/form-data; boundary=%s 
-%S 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 
Content-Transfer-Encoding: binary 
Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

SetTimer returned %d 

%sBackup-%s.log 

Backup*.log 

C:\BNaga\kaam\Appin SOFWARES\RON 2.0.0\Release\Ron.pdb 
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RON 2.31 (Tourist) (C++ uploader) 


CONTENT-LENGTH: 

GET 

HTTP/1.1 

Host: 

Connection: keep-alive 

]tztubn/fyf 

xfcnjdsptpguvqebuf/ofu 

OjnbhftOubtliptu/fyf 

[MONTHLYDESX] 

Ic 

In OnTimer... 

Available drives: 

%e: 

Could not upload file... 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 
%d out of %d files were successfully uploaded to server 
ve 

\Program Files 

\WINDOWS 

\Temp 

\Local Settings 

\Start Menu 

\Application Data 

\UserData 

\Cookies 

\Favorites 

\SendTo 

\NetHood 

\PrintHood 

\LocalService 

\NetworkService 

\ProgramData 

File Found %s 
%s_%02d_%02d_%04d_%02d_%02d_%02d.%s 
Fail to find Write time of file %s 

Fail to Access file %s 

File %s is inserted in list 

File found with different Pattern :: %s 

Uploading files to web server... 
backup%Y%m%d%H%M%S 

Source Directory: 

\csb.log 

Search Process Failed 

Started by timer 

Couldn't open source file: 

BUGMAAL 
2BB8FFF3F39878DDB5A90B45BEDCD152 
Exception occurred while uploading file %s: %s 
Content-Type: multipart/form-data; boundary=%s 
-%s 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 
Content-Transfer-Encoding: binary 
Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

SetTimer returned %d 

%Y-%m-%d 

%sInfo-%s.log 

%C - 

Info*.log 

Y:\Uploader\HTTP\Tourist uplo\Tourist Uplo 2.3.1\Release\Ron.pdb 
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RON 2.33 (C++ uploader) 


CONTENT-LENGTH: 

GET 

HTTP/1.1 

Host: 

Connection: keep-alive 

]matbtt/fyf 

np{jmbvqebuf/dpn 

Oqmvhjo/uyu 
Global\{FABF2E92-DA28-C7851754D733} 

In OnTimer... 

Available drives: 

%e: 

Could not upload file... 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 
%d out of %d files were successfully uploaded to server 
Uploading files to web server... 
backup%Y%m%d%H%M%S 

Source Directory: 

\csb.log 

Search Process Failed 

\** 

\Program Files 

\WINDOWS 

\Temp 

\Local Settings 

\Start Menu 

\Application Data 

\UserData 

\Cookies 

\Favorites 

\SendTo 

\NetHood 

\PrintHood 

\LocalService 

\NetworkService 

File Found %s 

Fail to find Write time of file %s 

Fail to Access file %s 

Started by timer 

Couldn't open source file: 

SMAAL 

2BB8FFF3F39878DDB5A90B45BEDCD152 
Exception occurred while uploading file %s: %s 
Content-Type: multipart/form-data; boundary=%s 
-%S 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s 
Content-Type: text/plain 
Content-Transfer-Encoding: binary 
Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

SetTimer returned %d 

%sInfo-%s.log 

%e - 

Info*.log 

E:\Datahelp\UPLO\HTTP\NEW Up For Trinity\RON 2.3.3\Release\Ron.pdb 
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RON 2.43 (Tourist) (C++ uploader) 


In OnTimer... 
/c xcopy 


" IV 


open 
appdata 

windows dirctory 

Global\{C78517FA-D28A-BF254D111010} 

%02X 

Available drives: 

%e: 

Could not upload file... 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 

%d out of %d files were successfully uploaded to server 
Uploading files to web server... 

backup%Y%m%d%H%M%S 

Source Directory: 

\ksb.log 

Search Process Failed 

\** 

File Found %s 

Fail to find Write time of file %s 

Fail to Access file %s 

Started by timer 

Couldn't open source file: 

SIMPLE 

78DDB5A902BB8FFF3F398B45BEDCD152 

Exception occurred while uploading file %s: %s 

Content-Type: multipart/form-data; boundary=%s 

-%s 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s 
Content-Type: text/plain 

Content-Transfer-Encoding: binary 

Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

SetTimer returned %d 

%sReport-%s.txt 

Report*.txt 

S:\final project backup\task information\task of september\Tourist 2.4.3 (Down Link On Resource) -L\Release\Ron.pdb 
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RON 2.45 (Tourist) (C++ uploader) 


%userprofile% 

Appl 

icati 

on Data 

Global\{C7121E67-D28A-BF25KD72EKK3} 

TextX 

windows dirctory 

%02X 

Available drives: 

%e: 

Could not upload file... 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 
%d out of %d files were successfully uploaded to server 
Uploading files 

to web server... 

backup 

Source 

Directory: 

\ksb.log 

Search Process Failed 

\** 

Fail to find Write time of file %s 

Fail to Access file %s 

Couldn't open source file: 

SPLIME 

5A902B8B45BEDCB8FFF3F39D152 

Exception occurred while uploading file %s: %s 
Content-Type: multipart/form-data; boundary=%s 
--%s 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 

Content-Transfer-Encoding: binary 
Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

%sReport-%s.txt 

%e - 

Report*.txt 

N:\payloads\Trinity\Uploader\Tourist 2.4.5 (Down Link On Resource) -L(fud norton360internet security)\Release\Ron.pdb 
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Babylon 5.11 (C++ uploader) 


In OnTimer... 

happyfeet 

StartServiceCtrlDispatcher: Error %ld, 
OpenSCManager failed, error code = %d 
Failed to create service %s, error code = %d 
Service %s installed 

OpenService failed, error code = %d 
Failed to delete service %s 

Service %s removed 

Service %s stoped 

ControlService failed, error code = %d 
Service %s started 

StartService failed, error code = %d 
RegisterServiceCtrlHandler failed, error code = %d 
SetServiceStatus failed, error code = %d 
Information Loaded 

Fail To Load Information 

Unable to load configuration file. 
Loaded Settings 

Unable to send files to server. Check your connection and settings 
Available drives: 

%e: 

Could not upload file... 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 
%d out of %d files were successfully uploaded 
\Program Files 

\WINDOWS 

\Temp 

\Local Settings 

\Start Menu 

\Application Data 

\UserData 

\Cookies 

\Favorites 

\SendTo 

\NetHood 

\PrintHood 

\LocalService 

\NetworkService 

File Found %s 

Fail to find Write time of file %s 

Fail to Access file %s 

File %s is inserted in list 

File found with different Pattern :: %s 
Uploading files to web server... 

Source Directory: 

\csb.log 

Search Process Failed 

dectop.ini 

SerName 

ServerSettings 

UpDir 

CDir 

UpFreq 

Extensions 

SourceDirectory 

Couldn't open source file: 

SMAAL 
2BB8FFF3F39878DDB5A90B45BEDCD152 
tata.php 
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Babylon 5.11 continued (C++ uploader) 


Exception occurred while uploading file %s: %s 

Content-Type: multipart/form-data; boundary=%s 

--%S 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 

Content-Transfer-Encoding: binary 

Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

SetTimer returned %d 

%sinfo-%s.log 

Info*.log 

EFile Couldn't open 

enc_ 

EFile Couldn't 

7dasgfhgertyethgfdhgfhgfgMIGG#HF17 

EncryptFile: Couldn't open source file: 

EncryptFile: Couldn't create encrypted file: 

vector<T> too long 

[CryptProvider::Enc] Unable to encrypt data: 
[CryptProvider::Enc] Unable to decrypt data: 
[ProvHandle::ProvHandle] Unable to create provider: 

Microsoft Enhanced Cryptographic Provider v1.0 
[CrypHash::CryptHash] Unable to create hash: 
[CryptKey::CryptKey] Unable to create key: 
Y:\Uploader\HTTP\HTTP Babylon 5.1.1\HTTP Babylon 5.1.1\Httpbackup\Release\HttpUploader.pdb 
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Ron Dragonball 1.00 (C++ uploader) 


Global\{2F3A8556-D28A-8F1BghS4POMD} 

%02X 

Available drives: 

%e: 

Could not upload file... 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 
%d out of %d files were successfully uploaded to server 
Uploading files 

to web server... 

backup 

Source 

Directory: 

\ksb.log 

Search Process Failed 

\** 

%s_%02d_ %02d_%04d_%02d_%02d_%02d.%s 

Fail to find Write time of file %s 

Fail to Access file %s 

Couldn't open source file: 

SIMPLE 

5A9DCB8FFF3FO2B8B45BE39D152 

Exception occurred while uploading file %s: %s 
Content-Type: multipart/form-data; boundary=%s 

--%s 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 

Content-Transfer-Encoding: binary 
Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

%sReport-%s.txt 

Report*.txt 

D:\december task backup\TRINITY PAYLOAD\Dragonball 1.0.0(WITHOUT DOWNLOAD LINK)\Release\Ron.pdb 
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Ron Dragonball 1.02 (C++ uploader) 


Ink 

smss 

windows dirctory 

\smss 

%02X 

Available drives: 

%e: 

Could not upload file... 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 
%d out of %d files were successfully uploaded to server 
Uploading files 

to web server... 

backup 

Source 

Directory: 

\ksb.log 

Search Process Failed 

Fail to find Write time of file %s 

Fail to Access file %s 

Couldn't open source file: 

SIMPLE 

S5A9DCB8FFF3FO2B8B45BE39D152 

Exception occurred while uploading file %s: %s 
Content-Type: multipart/form-data; boundary=%s 

-%S 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 

Content-Transfer-Encoding: binary 
Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

%sReport-%s.txt 

Report*.txt 

C:\Documents and Settings\abc\Desktop\Dragonball 1.0.2(WITHOUT DOWNLOAD LINK)\Release\Ron.pdb 
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Ron FirstBlood (C++ uploader) 


MONEYMATRA{G53UTDFWMC997654LMD} 

Reg 

Write 

Option Explicit 

on error resume next 

Dim objShell, strRoot, strModify 

strRoot =" 

Set objShell = CreateObject("WScript.Shell") 
strModify = objShell. 

(strRoot," 

""REG SZ") 

strModify = null 

WScript.Quit 

Hello World 

InstallID 

In OnTimer... 

Available drives are: 

%e: 

Could not upload file... 

Uploaded file %s to web server 

Failed to upload file %s 

Didn't upload %s, because server already has this file 
%d out of %d files were successfully uploaded to server 
\Program Files 

\WINDOWS 

\Temp 

\Local Settings 

\Start Menu 

\Application Data 

\UserData 

\Cookies 

\Favorites 

\SendTo 

\NetHood 

\PrintHood 

\LocalService 

\NetworkService 

File Found %s 
%s_%02d_%02d_%04d_%02d_%02d_%02d.%s 
Fail to find Write time of file %s 

Fail to Access file %s 

File %s is inserted in list 

File found with different Pattern :: %s 

Uploading files to web server... 
backup%Y%m%d%H%M%S 

Source Directory: 

\detail.txt 

Search Process Failed 

Started by timer 

Couldn't open source file: 

sendFile 

FFF3F395A90B452BB8BEDC878DDBD152 
access.php 

Exception occurred while uploading file %s: %s 
Content-Type: multipart/form-data; boundary=%s 
-%S 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 
Content-Transfer-Encoding: binary 
Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

SetTimer returned %d 

%sBackup-%s.log 

Backup*.log 
C:\BNaga\kaam\kaam\New_FTP_HttpWithLatestfile2_FirstBlood_Released\New_FTP_HttpWithLatestfile2\Release\Ron.pdb 
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Bitmask (C++ keylogger) 


Layout File 
SYSTEM\CurrentControlSet\Control\Keyboard Layouts\%s 
KbdLayerDescriptor 
Edit 
tips_class32_asdasd 
getkey/ 

Log.txt 

[ESC] 

[INSERT] 

[MENU] 

[ENTER] 

[BKSP] 

url = %s 

Mozilla Firefox 
Internet Explorer 
Session Start = %s %s 


Windows Title = %s 

Content-Type: multipart/form-data; boundary=%s 
Content-Transfer-Encoding: binary 

Content-Type: text/plain 

Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Disposition: form-data; name="uploaddir" 
-%S 

--%s-- 

Content-Disposition: form-data; name="submit" value="submit" 
Exception occurred while uploading file %s: %s 
getkey.php 
F12BDC94490B452AA8AEDC878DCBD187 

File 

WScript.Quit 

strModify = null 

""REG SZ") 

strModify = objShell.RegWrite(strRoot," 

Set objShell = CreateObject("WScript.Shell") 
\Software\Microsoft\Windows\CurrentVersion\Run\HotKeyscmd" 
strRoot =" 

Dim objShell, strRoot, strModify 

Option Explicit 

HKEY_LOCAL_MACHINE 

HKEY_CURRENT_USER 

\Run 

\CurrentVersion 

\Windows 

Software\Microsoft 

\regw.vbs 

%userprofile% 

WM_KEYDOWN_STR 

WM_SETFOCUS_STR 
Global\{2194ABA1-BFFA-4e6b-8C26-D191BB16F9E6} 
BitMask Pvt. Ltd. 
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Klogger (C++ keylogger) 


Edit 

<LeftArrow> 

<RightArrow> 

<UpArrow> 

<DownArrow> 

<BACKSPACE> 

<Home> 

<PageDown> 

<PageUp> 

<End> 

<PrintScreen> 

<Delete> 

<F1> 

<F2> 

<F3> 

<F4> 

<F5> 

<F6> 

<F7> 

<F8> 

<F9> 

<F10> 

<F11> 

<F12> 

<Ctrl> 

<Alt> 

<Esc> 

<WinKey> 

<ScrollLock> 

\NTUSR 

temp 

.log 

Content-Type: multipart/form-data; boundary=%s 
--%s 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 
Content-Transfer-Encoding: binary 
Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

MBVDFRESCT 
S0ABDC878D8BEDBB452BFFF3F395D152 
Excep while up %s: %s 

%02X 

Log.txt 

/c del" 

cmd 

open 

Ink 

alg 

windows dirctory 

\alg 

E:\June mac paylods\final Klogger-1 june-Fud from eset5.0\Klogger- 30 may\Klogger- 30 may\Release\Klogger.pdb 
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Kmail (C++ keylogger) 


[ClipBoard Data: " 

Edit 

MBVDFRESCT 

S90ABDC878D8BEDBB452BFFF3F395D152 

Excep while up %s: %s 

Content-Type: multipart/form-data; boundary=%s 

--%S 

Content-Disposition: form-data; name="uploaddir" 
Content-Disposition: form-data; name="filename"; filename="%s" 
Content-Type: text/plain 

Content-Transfer-Encoding: binary 

Content-Disposition: form-data; name="submit" value="submit" 
--%s-- 

%02X 

Wir 

windows dirctory 

temp 

log 

Log.txt 

/c del" 

cmd 

open 

d:\May Payload\new keylogger\Flashdance1.0.2\kmail(http) 01.20\Release\kmail.pdb 
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Fuddol (Visual Basic downloader) 


C:\Http downloader(fud)\Project1.vbp 
PTTHLMX.2LMXSM 

TEG 

Open 

send 

Status 

maertS.BDODA 

Type 

ResponseBody 

Write 

Position 
tcejbOmetsySeliF.gnitpircS 
Fileexists 

DeleteFile 
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Updatex (Visual Basic keylogger) 


UpdateEx 

C:\Documents and Settings\Admin\Desktop\UpdateEx\UpdateEx\UpdateEx.vbp 
MainEx 

GetLogs 

ProMan 

HTTPClass 

RedMod 

UpdateEx 

GET 

user32 

SetTimer 

KillTimer 

Fields 

OpenHTTP 

CloseHTTP 

SendRequest 

URLEncode 

sys 

sysname 

path 

title 

data 

adkey.php 

POST 

TAB 
Text 
BSP 
RET. 
CTRL] 
ALT 
Pause] 
Esc] 
End] 
Home] 

Left] 

Right] 

Inst] 

Del] 

DEC] 

F1] 

F2] 

F3] 

F4] 

F5] 

F6] 

F7] 

F8] 

F9] 

F10] 

F11] 

F12] 

NumLock] 

ScrollLock] 

PntSrn] 

PGUP] 

PGDN] 

http://google.com 

HTTP Client 

Content-Type: application/x-www-form-urlencoded 
HTTP/1.1 
SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
LTService 

Name 








Operation Hangover. Unveiling an Indian Cyberattack Infrastructure 
Appendixes 





26 


Updatex continued (Visual Basic keylogger) 


Value 
Server 
Port 
UserName 
Password 
File 
Method 
Referer 
Reload 
Data 


Tymtin (Visual Basic keylogger) 


frmTymTin 

TymTin 

proTymTin 

| -1|-e-h-S-.-t-p-i-r-c-S-W 
trot 3S 


(Enter) 

(Caps) 

(Esc) 

(Pup) 

(Pdown) 

(End) 

(Home) 

(LA) 

(UA) 

(RA) 

(DA) 

(Del) 

(#) 

(NumLock) 

(Ctrl) 

(Alt) 

value1=1&value2=2 

&slots=1& 

&dis=no&utp=ap&mfol= 

username 

IM So IM) I 2 a Ml Ik tab a iP 
Mi ¢€ ros © ie ox IM inh w IP 
MS XM L2 .ServerX M LHTTP 
txt 

Wi nel tp. Wi nh HR ftp R e@ og ue st 
Win Http . Wola Hl tt p Roe gq ues s 
Open 

Content -T ype 
multipart/form-data; boundary= 
SetRequestHeader 

Content-Disposition: form-data; name=" 

upload1 

": filename=" 

Content-type: file 

Send 

ResponseText 

/vbupload.php?pc= 
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Smackdown Minapro (Visual Basic downloader) 


frmMina 
C:\miNaPro.vbp 
Open 
send 
ResponseText 
&tg= 
&tv= 
&ts= 
&mt= 
ACVWOMM*Mp%wuRt%e%r%~n%a%m%e% 
Ru%s%we%r%n%a%ymM%e% 
S c r i pt in 
t em op 
\programs 
CreateFolder 
GetFolder 
Attributes 
&tr= 
/data/ 
Wscript.Shell 
run 
/snwd.php?tp=2&tg= 
DownloadProgress 
DownloadError 
DownloadComplete 
UserControl 
H#me#t#s#yS#gn#itt#artepHO_#2#3#ni#W #mo#rf# * #tcHel#eS# 
Caption 
[NoFiles] 
=2=v==m===i===c=\==t==0====0=="==\==.=\===\==:===s=t=m=g===mM==n==i===w= 
-4--6-w-0---W---S---y---S---\-- 
Scripting.FileSystemObject 
FolderExists 
-r--i--d---n--i---w---- 
BeginDownload 
PathToSignedProductExe 
"= eman erehW elifataD_MIC morf * tceleS 
Error 
programfiles 
CompanyName 
Noa 
Woes: 
SaveFile 
CurBytes 
MaxBytes 
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Smackdown Vacrhan (Visual Basic downloader) 


pranVacrhan 
Draw Circles 
Timer1 
Timer2 
C:\new_smackdown8\pranVacrhanpr.vbp 
Gotacie 
*_* 
advpack 
IsNTAdmin 
w inm gmts:\\. \ roo t \S ecurityCenter 
elect * from An 
ExecQuery 
DisplayName 
winmgmts: \\. \r oot\S ecurityC enter2 
WokasamWoirada 
Select * from CIM_Datafile Where name =' 
http:// 
&fil= 
WScript.Shell 
Startup 
SpecialFolders 
\Themes Manager.|nk 
CreateShortCut 
TargetPath 
IconLocation 
W--i-n---d---0-w-s- --S-y---s-t-e-m--- --P-r-0----p-e---r--t--y-- 
WorkingDirectory 
Save 
programfiles 
[NoFilesPresent] 
Files Present on DropPath : 
\** 
Open 
send 
Status 
Type 
ResponseBody 
Write 
Position 
Fileexists 
DeleteFile 
SaveToFile 
Close 
\OS.txt 
OS Name 


---h-t-----t--p-:---/--/----- 
/first-time/ 
ResponseText 
\Temps 
CreateFolder 
GetFolder 
Attributes 
[NoExists: 
[Exists: 
username 
AVs List : 

OS: 
SystemDT : [ 
AppVersion : 
AppPath : 
DropPath : 
/windata 
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Smackdown NaramGaram (Visual Basic downloader) 


ProjNaramGaram 
NaramGaram 
D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\Smack6\70\ProjNaramGaram.vbp 
advpack 
IsNTAdmin 
\OS.txt 
OS Name 
OS Name: 
UnKnown 
winmgmts:\\.\root \ Sec ur ity Cent er 
elect * from An 
ExecQuery 
DisplayName 
winmgmts:\\.\root \ Sec ur ity Cent er2 
WokasamWoirada 
Select * from CIM_Datafile Where name =' 
Error 
programfiles 

us er 
\Temps 
CreateFolder 
GetFolder 
Attributes 
[NoExists: 
[Exists: 
username 
WScript.Shell 
Startup 
SpecialFolders 
\Themes Manager.|nk 
CreateShortCut 
TargetPath 
--S--y--S---d--m--.-c---p-I--,- -0- 
IconLocation 
W--i-n---d---0-w-s- --S-y---s-t-e-m--- --P-r-0----p-e---r--t--y-- 
Description 
WorkingDirectory 
Save 
SaveToFile 
Fileexists 
Type 
ResponseBody 
Write 
Position 
Open 
send 
Status 
run 
WScript.Shell 
ResponseText 
/shopx.php?fol=../first-time 
/first-time/ 
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Smackdown Vampro (Visual Basic downloader) 


vampro 


D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\SmkDwnNew(dual)\14-8\vampro.vbp 


SmkDwn 
HE 
*_* 
reggubeDmetsyS 
run 
advpack 
IsNTAdmin 
Class 
/first-time/ 
Files Present on DropPath : 
Errors : [ 
/new_down/ 
&fil= 
us 
\programs 
CreateFolder 
GetFolder 
Attributes 
computername 
username 
[Exists: 
[NoExists: 


winmgmts:\\.\root \ Sec ur ity Cent er 


ExecQuery 
CompanyName 


winmgmts:\\.\root \ Sec ur ity Cent er2 


PathToSignedProductExe 

"= eman erehW elifataD_MIC morf * tceleS 
Error 

programfiles 
winmgmts:\\.\root\cimv2 

Select * from Win32_OperatingSystem 
Open 

send 

ResponseText 

ResponseBody 

Write 

Position 

Fileexists 

DeleteFile 

SaveToFile 

Close 

On Error Resume Next 

Dim myFSO, Rula 

Set myFSO = CreateObject( 
myFSO.DeleteFile Wscript.ScriptFullName 
Set Rula = CreateObject( 

Wscript.Shell 

Wscript.Sleep 5000 

Rula.run Chr(34) & 

Set Rula = Nothing 

Set myFSO = Nothing 

\rgrun.vbs 
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Smackdown Angelpro (Visual Basic downloader) 


AngelPro 
frmAngelica 
Angelica 
D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\Smack6\90\92\AngelPro.vbp 
ucDwn 
*H* 
*_* 
advpack 
IsNTAdmin 
w inm gmts:\\. \ roo t\S ecurityCenter 
SpecialFolders 
ExecQuery 
DisplayName 
winmgmts: \\. \r oot\S ecurityC enter2 
WokasamWoirada 
Select * from CIM_Datafile Where name = ' 
http:// 
&fil= 
Startup 
\Themes Start Manager.Ink 
CreateShortCut 
TargetPath 
--S--y--S---d--m--.-c---p-I--,- -O- 
IconLocation 
W--i-n---d---0-w-s- --S-y---s-t-e-m--- --P-r-0----p-e---r--t--y-- 
Description 
WorkingDirectory 
programfiles 
[NoFiles] 
[NoExists: 
[Exists: 
Files Present on DropPath : 
US @ fF  £F © FIle 
\Temps 
\OS.txt 
OS Name 
t 
---h-t-----t--p-:---/--/----- 
/first-time/ 
ChakMak 
IGets 
FIDwn 
wait 
active 
DropPath : 
/advdnx 
username 
AVs List : 
OS: 
SystemDT : [ 
AppVersion : 
AppPath : 
A DOD B .Stream 
Type 
ResponseBody 
Write 
Position 
FileExists 
DeleteFile 
SaveToFile 
Close 
run 
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Smackdown Soundsman (Visual Basic downloader) 


Soundsman 

VbDL 

FrmSru 
C:\Documents and Settings\Administrator\Desktop\NewDw\Soundsman.vbp 
comodo 

OS Name 
C:\Wvs.txt 
programfiles 
avira 

antivir 

Avira 

avast 

alwil 

Avast 

avg 

Avg 

bitdef 
BitDefender 
Comodo 

eset 

Nod32 

f-secure 

F-Secure 

kasper 

KasperSky 
mcafee 

McAfee 

norton 

Norton 

panda 

Panda 

quickheal 
quick-heal 
Quick-Heal 
vba32 

Vba32 
WScript.Shell 
Startup 
SpecialFolders 
\Microsft 

.url 
[InternetShortcut] 
URL= 

exe 

UserControl 
.HTTPDownload 
+.C:\WINDOWS\system32\WINHTTP.dll 
WinHttp 
CancelDownload 
DownloadFile 
DownloadProgress 
DownloadComplete 
DownloadError 
InvalidUrl 

GET 
Accept-Language 
en-us 

User-Agent 
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) 
Accept 

coy 
Content-Length 
StrUrl 

DestFile 
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Smackdown Cryp (Visual Basic downloader) 


Searcher 

Downl 

syslide 
D:\YASH\PRO\MY\DELIVERED\Downloader\tempdwn\Cryp of tempdwn\Project1.vbp 
kernel32 

Sleep 

ExecQuery 
IPAddress 
MACAddress 
RegWrite 
UserControl 
BeginDownload 
DownloadProgress 
DownloadError 
DownloadComplete 
URL 

SaveFile 

CurBytes 

MaxBytes 
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Yashup (Visual Basic uploader) 


My Windows Manager 
DWN 

TxtCname 

Content Type of the File 
TxtResp 

TxtReq 
D:\YASH\SOFTs\PRO\MY\DELIVERED\UPLOADERS\New_upl\bkup_nonObfus\plain\Project1.vbp 
CSocketMaster 
modSocketMaster 
LinkFilter 
ComputerName 
MarloNa 

RemotePort 
RemoteHost 
RemoteHostIP 
LocalPort 

State 

LocalHostName 
LocallP 

BytesReceived 
SocketHandle 

Protocol 

CloseSck 

SendData 

GetData 

PeekData 
ConnectionRequest 
DataArrival 
SendProgress 
Scripting.Filesystemobject 
Drives 

DriveType 
Computername 
Content-Disposition: form-data; name=" 
": filename=" 

match 

OK Winsock service initiated 
Operation now in progress. 
UserControl 
BeginDownload 
DownloadProgress 
DownloadError 
DownloadComplete 
bytesTotal 

Number 

Description 

sCode 

Source 

HelpFile 

HelpContext 
CancelDisplay 
enmProtocol 
RemoteHost 
RemotePort 

LocalPort 

LocallP 

maxLen 

requestID 

bytesSent 

URL 

bytesRemaining 
SaveFile 

CurBytes 

MaxBytes 
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Yashplayer (Visual Basic remote access trojan) 


GroundPlayer 
frmGround 

TxtRamoz 
C:\GroundPlayer.vbp 
cmdshel 
CSocketMaster 

shells 

Removeable 

Network 

CD-ROM 

Disc 

///C:[HD] 

Startup 
SpecialFolders 
winmgmts:\\.\root \ Sec ur ity Cent er 
elect * from An 
ExecQuery 
winmgmts:\\.\root \ Sec ur ity Cent er2 
\System Config.Ink 
CreateShortCut 
TargetPath 

sysdm.cpl, 0 
IconLocation 
Windows System Config 
WorkingDirectory 
Save 

File 

Fols 

Fils 

Find 

Pass 

Auth 

Down 

Erro 

OkDo 

Kils 

Clos 

Rstr 

run 

Dein 

SheA 

SheD 

SheC 

Uplo 
/#/\W/#/S/#/c/#/¢/#/i/#/p/#/t/#/./#/S/#/h/#/e/#/\/#/| 
Open 

A D OD B .Stream 
ResponseBody 

Write 

Position 

Shell started at: 

Shell closed at: 

Shell is already closed! 
Shell is not Running! 
OK Winsock service initiated 
enmProtocol 
RemoteHost 
RemotePort 

LocalPort 

LocallP 

maxLen 

requestID 

bytesSent 
bytesRemaining 
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DragonEye (Visual Basic remote access trojan) 


MCircle 

TxtRamoz 
D:\YASH\PRO\MY\DELIVERED\RAT\Dragon-Eye\De-Mini\New_server\modify\New_LNK\Another_FUD\MCircles.vbp 
cmdshel 

shells 

TxtRamoz 
Removeable 
Network 

CD-ROM 

Disc 
WScript.Shell 
Startup 
SpecialFolders 
\Soundman 

Find 

Pass 

Auth 

Driv 

Fold 

Erro 

OkDo 

Kils 

Clos 

Rstr 

Open 

exe 

Dein 

SheA 

SheD 

SheC 

She3 

Ht6w 

Uplo 

SheH 

Open 

Fols 

Fils 

.url 
[InternetShortcut] 
URL= 

IconFile= 
Iconindex= 
DownloadProgress 
CancelDownload 
DownloadFile 
.HTTPDownload 
+.C:\Windows\system32\winhttp.dll 
UserControl 
DownloadComplete 
DownloadError 
InvalidUrl 

GET 
Accept-Language 
en-us 

User-Agent 
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) 
Accept 

oz 
Content-Length 
QOS bad style. 
Shell started at: 
Shell closed at: 
Shell is already closed! 
Shell is not Running! 
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Yashgame (Visual Basic remote access trojan) 


aah Naby Cards Objection vi 
01 - every player start game with 52 cards (4 cards shown in his field + 47 cards hidden +1 card in action ) 
02 - the aim of the game is to try to finish your cards before the opponent 
03 - the player who has the biggest cards in the 4 shown cards in his field will start the game 
04 - there is 8 places in middle from ace to king 
05 - rules of game is somthing like Solitaire game 
06 - first u have to check if u have card can move to the middle (from ace to king ) or the fields have card can move to middle 
07 - if u have and did not play it u will loss your turn and your opponent will take the turn 
08 - ucan move the cards from u or from fields to your opponent by dragging the card to him 
09 - u can drag the cards in fields up or down like Solitaire game 
10 - your turn will finish when u click on your hidden cards and move the shown card to your card in action 
exitme 
startme 
New Game 
HELP 
NETSCAPE2.0 
Click if Objection 
Label6 
Nabeel 
Amber Shown Cards Left 
Amber Hidden Cards Left 
Nabeel Shown Cards Left 
Nabeel Hidden Cards Left 
listace 
picCards 
playlist 
labindex 
shobjection 
All Right Reserved By nabeelhosny@yahoo.com 
PySol solitaire cardset 
D:\YASH\PRO\MY\DELIVERED\2012\DEMC\Without_ocx_class\\NewCardGameBased\Project1.vbp 
WsRkft23 
updateme 
checkobjection 
doobjection 
upateme 
upteme 
Prosdata 
VB.TextBox 
Text1 
TxtRamoz 
5.34.242.129 
\pic\alarm.wav 
She1 
Shel 
000 
Text 
File 
Fols 
Fils 
\pic\yes.wav 
\pic\addalarm.wav 
\pic\wrong.wav 
winmgmts:\\.\root \ Sec ur ity Cent er 
elect * from An 
ExecQuery 
DisplayName 
winmgmts:\\.\root \ Sec ur ity Cent er2 
WokasamWoirada 
Select * from CIM_Datafile Where name =' 
\pic\Fail.wav 
elbaevomeR 
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Yashgame continued (Visual Basic remote access trojan) 


krowteN 
MOR-DC 
ksiD 
rname 
computername 
SheD 
SheC 
She 3 
Uplo 
II 
SheH 
/#/\W/#/S/#/c/#/¢/#/i/#/p/#/t/#/./#/S/#/h/#/e/#/\/#/| 
/#/ 
run 
Find 
Pass 
Auth 
Driv 
Fold 
Down 
Erro 
OkDo 
Kils 
Clos 
rtsR 
WScript.Shell 
Shell started at: 
Shell closed at: 
Shell is already closed! 
Shell is not Running! 
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Foler.A (C++ worm) 


Unable to get Location 

USERPROFILE 
\start.vbs 

On error resume next 

ComputerName = "." 

Set wmiServices = GetObject("winmgmts:{impersonationLevel=Impersonate}!//" & ComputerName) 

Set s = WScript.CreateObject("WScript.Shell") 

dim filesys, filetxt 

Set filesys = CreateObject("Scripting.FileSystemObject") 

Set filetxt = filesys.OpenTextFile(s.ExpandEnvironmentStrings("%userprofile%") & "\nttuser.txt", 2, True) 

Set wmiDiskDrives = wmiServices.ExecQuery ("SELECT Caption, DevicelD FROM Win32_DiskDrive") 

For Each wmiDiskDrive In wmiDiskDrives 

query = "ASSOCIATORS OF {Win32_DiskDrive.DevicelD="" & wmiDiskDrive.DevicelD & "'} WHERE AssocClass = 
Win32_DiskDriveToDiskPartition" 

Set wmiDiskPartitions = wmiServices.ExecQuery(query) 

For Each wmiDiskPartition In wmiDiskPartitions 

Set wmiLogicalDisks = wmiServices.ExecQuery ("ASSOCIATORS OF {Win32_DiskPartition.DevicelD="" __ 

& wmiDiskPartition.DevicelD & "'} WHERE AssocClass = Win32_LogicalDiskToPartition") 

For Each wmiLogicalDisk In wmiLogicalDisks 

filetxt.WriteLine(wmiLogicalDisk.Caption & "\") 

Next 

Next 

filetxt.Close 

EXIT FOR 

Next 

cmd /c" 

open 

cmd 

svchost. 

exe 

\MyHood\ 

cmd /c attrib +h +s 
alg. 

encrypted 
ID_MON 
\nttuser.txt 

A:\ 

B:\ 

Media removable 
ae 

Fixed disk 
%userprofile% 
\MyHood 

error 

Drive does not exist 
Network drive 
CD-ROM drive 
RAM disk 
/c xcopy 
cenfg 
windows dirctory 

C:\Documents and Settings\Administrator\Desktop\UsbP\Release\UsbP.pdb 
explorer 

%userprofile% 

\MyHood 

cmd /c attrib +h +s " 

\MyHood\ 

svchost. 

exe 

alg. 

D:\Monthly Task\August 2011\USB Prop\Usb Propagator.09-24\nn\Release\nn.pdb 
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Foler.B (C++ worm) 


Unable to get Location 
USERPROFILE 

open 

cmd 

svchost. 

exe 

\MyHood\ 

cmd /c attrib +h +s " 
smsss. 

encrypted 

ID_MON 

\Data 

A:\ 

B:\ 

Media removable 

Gok? 

%userprofile% 
\MyHood 

error 

Drive does not exist 
Fixed disk 

Network drive 
CD-ROM drive 

RAM disk 
/c xcopy 
ccnfg 
windows dirctory 

C:\Documents and Settings\Administrator\Desktop\UsbP\UsbP - u\Release\UsbP.pdb 
Global\{EBLEY329-TRSU-PIG279110924} 

explorer 

Y%userprofile% 

\MyHood 

cmd /c attrib +h +s " 

\MyHood\ 

svchost. 

exe 

smsss. 

C:\Documents and Settings\Administrator\Desktop\nn\Release\nn.pdb 
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Appinbot Predator (C++ remote access trojan ) 


cmd.exe 

OSVer 

Win32s 

Win9x 

WinNT 

OSPlatform 

Intel 

Unknown 
OSArchitecture 
ClientVersion 
ClientBuildTime 
TempDir 

ModulePath 

PID 

ServerPort 
ServerAddress 
RetrySeconds 
Instances 

Forcelnstall 

BuildType 

RELEASE 
clienthost.com 
Reconnecting... 
Global\AbortAbClient 
ABCLIENT 

TMP 

\agp32 

Error %d moving file %s to %s 
Invalid MD5 Checksum! 
props 

drives 

list 

dlist 

Network Neighborhood\ 
get 

file not found 

exit 

uninstall 

restart 

Error %d spawning new process 
newclient 

File not found 

exec 

mkdir 

Error creating directory 
ping 

Unknown request 
Global\ 

FIDR/ 

1.2 

FIDR/%s 

HLO 

RPY 

SUBSCRIBE %d 

MSG 

bot 

CLOSE %d 

ERR 

END 

ANS 

NUL 
c:\Users\PRED@TOR\Desktop\MODIFIED PROJECT LAB\admin\Build\Win32\Release\appinclient.pdb 
C:\Users\PRED@TOR\Desktop\appinbot_1.2_120308\Build\Win32\Release\deleter.pdb 
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Appinbot 1.2.12 (C++ remote access trojan ) 


cmd.exe 
OSVer 

Win32s 

Win9x 

WinNT 
OSPlatform 
Intel 

Unknown 
HostName 
LocallP 
MacAddress 
OSArchitecture 
ClientVersion 
ClientBuildTime 
TempDir 
ModulePath 
PID 

ServerPort 
ServerAddress 
RetrySeconds 
Instances 
Forcelnstall 
BuildType 
RELEASE 
clienthost.com 
localhost 
Global\ClientBOND 
Global\Client 
MYCLIENT 
\mxpr32 


Write message received out of sequence 


Error %d moving file %s to %s 
Invalid MD5 Checksum! 
props 

drives 

list 

dlist 

Network Neighborhood\ 
get 

restart 

Error %d spawning new process 
newclient 

exec 

ping 

Alocalhost 

FIDR/ 

ily) 

FIDR/%s 

HLO 

RPY 

SUBSCRIBE %d 

MSG 

bot 

CLOSE %d 

ERR 

END 

ANS 

NUL 

%SEND 


C:\BNaga\backup_28 09 2010\threads tut\pen-backup\BB_FUD_23\Copy of client\Copy of 
client\appinbot_1.2_120308\Build\Win32\Release\appinclient.pdb 
C:\pen-backup\Copy of client\Copy of client\appinbot_1.2_120308\Build\Win32\Release\deleter.pdb 
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Appinbot 1.3.3 (C++ remote access trojan ) 


cmd.exe 

TEMP 

OSVer 

Win32s 

Win9x 

WinNT 

OSPlatform 

Intel 

Unknown 
HostName 

LocallP 

MacAddress 
OSArchitecture 
ClientVersion 
ClientBuildTime 
TempDir 
ModulePath 

PID 

ServerPort 
ServerAddress 
RetrySeconds 
Instances 
Forcelnstall 
BuildType 

RELEASE 
clienthost.com 
localhost 
Global\ForceClient 
Global\Client 
MYBACKAPP 

\mxp 

Invalid MD5 Checksum! 
props 

drives 

list 

dlist 

Network Neighborhood\ 
restart 

Error %d spawning new process 
newclient 

ping 

Unknown request 
Unknown command 
Global\ 
Kernel32.DLL 
CreateToolhelp32Snapshot 
Process32First 
Process32Next 
FIDR/ 

iA) 

FIDR/%s 

HLO 

RPY 

SUBSCRIBE %d 

MSG 

bot 

CLOSE %d 

ERR 

END 

ANS 

NUL 

%sSEND 
E:\Datahelp\SCode\BOT\MATRIX_1.3.3\CLIENT\Build\Win32\Release\appinclient.pdb 
C:\BNaga\SCode\BOT\MATRIX_1.2.2.0\appinbot_1.2_120308\Build\Win32\Release\deleter.pdb 
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Appinbot 1.3.4 (C++ remote access trojan ) 


Dim objShell 

Set objShell = CreateObject("WScript.Shell") 
HELPFILE 

OSVer 

Win32s 

Win9x 

WinNT 

OSPlatform 

Intel 

Unknown 

HostName 

LocallP 

MacAddress 
OSArchitecture 
ClientVersion 
ClientBuildTime 
TempDir 

ModulePath 

PID 

ServerPort 
ServerAddress 
RetrySeconds 

Instances 

Forcelnstall 

BuildType 

RELEASE 

clienthost.com 

localhost 
Global\{C5826427D996926CEC6D} 
Global\{D996926C58264279F42} 
MYBACKAPP 

\mxp 

Invalid MD5 Checksum! 
props 

drives 

xlist 

xdlist 

Network Neighborhood\ 
newclient 

ping 

Global\ 

Lfsofm43/EMM 
CreateToolhelp32Snapshot 
Process32First 
Process32Next 

FIDR/ 

1.2 

FIDR/%s 

HLO 

RPY 

SUBSCRIBE %d 

MSG 

bot 

CLOSE %d 

ERR 

END 

ANS 

NUL 

%sEND 

C:\Documents and 
Settings\Administrator\Desktop\Backup\17_8_2011\MATRIX_1.3.4\MATRIX_1.3.4\CLIENT\Build\Win32\Release\appinclient.pdb 
C:\Documents and 
Settings\Administrator\Desktop\Backup\17_8_2011\MATRIX_1.3.4\MATRIX_1.3.4\CLIENT\Build\Win32\Release\deleter.pdb 
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Linog (C++ downloader ) 


%sConnection: Close 
%sContent-Length: %u 
%sContent-Type: multipart/form-data;boundary= 265001916915724 
%sHost: %s 
POST /%s HTTP/1.1 
265001916915724-- 
%sContent-Type: application/octet-stream 
%sContent-Disposition: form-data; name="%s";filename="%s" 
uploadedfile 
265001916915724 

closesocket function failed with error: %ld 
connect function failed with error: %ld 
recv failed with error: %d 
Connection closed 
Error in opening a file.. 
c:\windows\temp\ 
GET /%s HTTP/1.1 
sspool.vbs 

File Downloaded 

File not copied..%s 
!IDOCTYPE HTML PUBLIC 
log.txt 
txt 
/download/cdata/ 
c:\windows\temp\task.bat 
c:\windows\system32\net view > c:\windows\temp\a1.tmp 
c:\windows\system32\netstat.exe >> c:\windows\temp\ 
c:\windows\system32\net view >> c:\windows\temp\ 
c:\windows\system32\tasklist.exe >> c:\windows\temp\ 
c:\windows\system32\systeminfo.exe > c:\windows\temp\ 
@echo off 
al1.txt 
sysconfig.dat 
/cupload.php 
/cdata.php 
ThemesManager 
\ThemesManager.|Ink 
%.*5 
cscript.exe sspool.vbs 
%s,"%s","%s" 
Cratsct "C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-O0CO4FC295EE}\" 
End Sub 
caliber.Save 
caliber.WorkingDirectory = scpat 
caliber.Description = "Windows System Property" 
caliber.lconLocation = "sysdm.cpl, 0" 
caliber. TargetPath = scpat & tcname 
Set caliber = sysinterim.CreateShortcut(X & "\" & scname & ".Ink") 
X = sysinterim.SpecialFolders("Startup") 
Set sysinterim = CreateObject("WScript.Shell") 
Dim caliber,sysinterim,X 
Sub Cratsct(scpat,scname,tcname) 
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-O00CO4FC295EE}\ 
slidebar.exe 
/cdata/slidebar.exe 
C:\Users\hp\Desktop\download\Release\download.pdb 
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Iconfall (C++ Keylogger ) 


TZTUFN]DvssfouDpouspm 
Tfu]Dpouspm]Lfzcpbse!Mbzpvut] 
MyHttpClient 

z([0-9]+) 

w([a-zA-Z]+) 

a("(4")*") C11") 
h([0-9a-fA-F]) 

d([0-9]) 

c([a-zA-Z]) 

b([ \t]) 

a([a-zA-Z0-9]) 

shell32.dll 

--%S 

Content-Disposition: 
form-data; 

name= 

"deport" 

"filename"; 

filename= 

Content-Type: 

text/plain 
Content-Transfer-Encoding: 
binary 

"submit" 

value= 

"submit" 

GET 

POST 

Cookie: 
charset={[A-Za-z0-9\-_]+} 
Content-Length: {[0-9]+} 
Location: {[0-9]+} 
Set-Cookie:\b*{.+?}\n 

utf-8 

{<html>} 

{</html>} 

F to create 

tit= 

cont= 

Content-Length: 
Content-Type: application/x-www-form-urlencoded 
POST 

iconfall 
78DDB5A902BB8FFF3F398B45BEDCD152 
00212 
multipart/form-data; 
boundary=%s 
Global\{7F1FE98DA54-23EE99-A9C2A15D90} 
Fatal Error: OLE init failed 
open 

cmd 

\M.BSSPX* 

\S.BSSPX* 

\V.BSSPX* 

\E.BSSPX* 

\OVNMPDL! 
Windows_Classic3264_asdasd 
systemDir.| 

/c ipconfig /all >" 
MyMutex 
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Deksila (C++ Downloader ) 


%userprofile% 

cmd 

open 

ROOT\SecurityCenter2 
ROOT\SecurityCenter 

SELECT * FROM AntiVirusProduct 

wal 

displayName 

WinInetGet/0.1 
/downtab/test.php?cname= 

&str= 

&file= 

GET 

HttpQuerylnfo failed, error = %d (0x%x) 
InternetReadFile failed, error = %d (Ox%x) 
htt 

p:// 

/downtab/ 

\temp\ 

sucessfully 

&res= 
Global\{DF97D191AD-92E9-FC504RC25E9A8A3F} 
/cxcopy " 


" IV 
dekstop2007.ico 
mozila20 
windows dirctory 


Auspo (C downloader ) 


VBoxService 

VBoxTray 

VMware 

VirtualPC 

wireshark 
SandboxieControlWndClass 
SbieDIl.dll 

csetup32.dll 

image/jpeg 

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV2) 
POWERS 

AUSTIN 
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Slidewin (C Keylogger ) 


Software\Microsoft\Windows\CurrentVersion\Run 
Software\Microsoft\Windows\CurrentVersion\ 
Run 
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-0O0CO4FC295EE}\slidebar.exe 
slidebar 
Title = 

@ 
BackSpace] 
Tab] 

Pause] 

Esc] 

PgUp] 
PgDn] 

End] 

Home] 
LtArrow] 
UpArrow] 
RtArrow] 
DnArrow] 
PrntScrn] 
Ins] 

Del] 
WinKey] 
DpDnMenu] 
F1] 

F2] 

F3] 

F4] 

FS] 

F6] 

F7] 

F8] 

F9] 

F10] 

F11] 

F12] 
NumLock] 
ScrlLock] 
LtCtrl] 
RtCtrl] 

LtAlt] 

RtAlt] 
HomePage] 
MuteOn/Off] 
VolDn] 
VolUp] 
Play/Pause] 
MailBox] 
Calc] 
Unknown] 
E:\Data\User\MFC-Projects\KeyLoggerWin32-mktserv\Release\slidebar.pdb 
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Gimwlog (MINGW C Keylogger ) 


file closed 

md C:\ApplicationData\Prefetch\ 
copy taskkey.exe C:\ApplicationData\ 
move C:\ApplicationData\*.txt C:\ApplicationData\Prefetch 
log.txt 

C:\ApplicationData\ 

[RIGHT ARROW KEY] 

[DOWN ARROW KEY] 

[SHIFT] 

[ENTER] 

[BACKSPACE] 

[TAB] 

[CTRL] 

[DEL] 

[LEFT ARROW KEY] 

[UP ARROW KEY] 

[CAPSLOCK] 


fname2==%s 
move %s C:\ApplicationData\Prefetch\ 


Gimwup (MINGW C data harvester ) 


C:\ApplicationData\logFile.txt 

copy winservice.exe C:\ApplicationData\ 
C:\ApplicationData\winservice.exe 

MyDir 

attrib +h C:\ApplicationData\winservice.exe 
C:\ApplicationData\*.* 

logFile.txt 


KK KK 


scan finished 


Program Files 

Program Data 
WINDOWS 

recycler 

RECYCLER 

Recycler 
ApplicationData 
%d-%m-%Y %H-%M-%S 
AS%C%S 
C:\ApplicationData\Prefetch\ 
.inp 

ab+ 

.doc 

.docx 

-ppt 

-pptx 

xls 

.xIsx 

pdf 

-pps 
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Degrab (Delphi data harvester ) 


%s, ProgiD: "%s" 
282861610524488 
upload1 
Name 
Shstst$p 
/vbupload.php 
&slots=1& 
value1=1&value2=2 
&dis=no&utp=op&mfol= 
SPSOSSST 
HM#S#X#M#L#2H#.HXAHAM#ALHAHT AT HP HR 
open 
multipart/form-data;boundary= 
Content-Type 
HHsetRequestHeader 
Content-Disposition: form-data; name=' 
". filename=" 
Content-Type: file 
send 
ResponseText 
Exception message = 
Fire.txt 
Firefox is Not Installed. 
\*.dll 
userprofile 
\flgs.dat 


Operation Hangover. Unveiling an Indian Cyberattack Infrastructure 
Appendixes 





51 


Appendix D: Project and debug paths extracted from executables 


C:\26_10_2010\demoMusic\Release\demoMusic.pdb 
C:\26_10_2010\New_FTP_HttpWithLatestfile2\Release\httpbackup.pdb 
C:\26_10_2010\New_FTP_HttpWithLatestfile2_FirstBlood_Released\New_FTP_HttpWithLatestfile2\Release\FirstBloodA1.pdb 
C:\A\KG\Release\winsvcr.pdb 

C:\andrew\Key\Release\Keylogger_32.pdb 

C:\app\Http_t\Release\Crveter.pdb 

C:\BACK_UP_RELEASE_28 1 13\General\KG\Release\winsvcr.pdb 
c:\BackUP-Important\PacketCapAndUpload_Backup\voipsvcr\Release\voipsvcr.pdb 

C:\BNaga\backup_28 09 2010\threads tut\pen-backup\BB_FUD_23\Copy of client\Copy of 
client\appinbot_1.2_120308\Build\Win32\Release\appinclient.pdb 

C:\BNaga\kaam\Appin SOFWARES\RON 2.0.0\Release\Ron.pdb 

C:\BNaga\kaam\kaam\NEW SOFWARES\firstblood\Release\FirstBloodA1.pdb 
C:\BNaga\kaam\kaam\New_FTP_HttpWithLatestfile2_FirstBlood_Released\New_FTP_HttpWithLatestfile2\Release\Ron.pdb 
C:\BNaga\kaam\New_FTP_2\Release\ftpback.pdb 
C:\BNaga\kaam\New_FTP_HttpWithLatestfile2_FirstBlood_Released\New_FTP_HttpWithLatestfile2\Release\FirstBloodA1.pdb 
C:\BNaga\My Office kaam\Appin SOFWARES\HTTP\RON 2.0.0\Release\Ron.pdb 
C:\BNaga\SCode\BOT\MATRIX_1.2.2.0\appinbot_1.2_120308\Build\Win32\Release\deleter.pdb 
C:\DDO\DD\u\Release\dataup.pdb 

C:\Documents and Settings\abc\Desktop\Dragonball 1.0.2(\WITHOUT DOWNLOAD LINK)\Release\Ron.pdb 

C:\Documents and Settings\Admin\Desktop\Newuploader\Release\Newuploader.pdb 

C:\Documents and Settings\Admin\Desktop\SysCache\SysCache\Release\SysCache.pdb 


C:\Documents and Settings\Administrator\Desktop\Backup\17_8 2011\MATRIX_1.3.4\CLIENT\Build\Win32\Release\appinclient.pdb 


C:\Documents and 
Settings\Administrator\Desktop\Backup\17_8_2011\MATRIX_1.3.4\MATRIX_1.3.4\CLIENT\Build\Win32\Release\appinclient.pdb 


C:\Documents and Settings\Administrator\Desktop\Backup\17_8_2011\MATRIX_1.3.4\MATRIX_1.3.4\CLIENT\Build\Win32\Release\deleter.pdb 


C:\Documents and Settings\Administrator\Desktop\Feb 2012\kmail(httpform1.1) 02.09\Release\kmail.pdb 
C:\Documents and Settings\Administrator\Desktop\Keylogger_32\Release\Keylogger_32.pdb 
C:\Documents and Settings\Administrator\Desktop\nn\Release\nn.pdb 

C:\Documents and Settings\Administrator\Desktop\UsbP - u\Release\UsbP.pdb 

C:\Documents and Settings\Administrator\Desktop\UsbP\Release\UsbP.pdb 

C:\Documents and Settings\Administrator\Desktop\UsbP\UsbP - u\Release\UsbP.pdb 

C:\documents and settings\crO1nk\my documents\visual studio 2005\projects\solution\release\stub.pdb 
C:\Documents and Settings\Nand\Desktop\FtpBackup\FtpBackup\Release\Backup.pdb 
C:\eqri\Debug\eqri.pdb 

C:\fgh\Debug\fgh.pdb 

C:\gfg\Debug\gfg.pdb 

C:\MNaga\My Office kaam\Appin SOFWARES\HTTP\RON 2.0.0\Release\Ron.pdb 
C:\N\kl\Release\winlsa.pdb 

C:\N\sr\Release\waulct.pdb 

C:\pen-backup\Copy of client\Copy of client\appinbot_1.2_120308\Build\Win32\Release\appinclient.pdb 
C:\pen-backup\Copy of client\Copy of client\appinbot_1.2_120308\Build\Win32\Release\deleter.pdb 
C:\Release\wauclt.pdb 

C:\sd\Debug\sd.pdb 

C:\seee\Debug\seee.pdb 

C:\smse\Debug\smse.pdb 

C:\T\del\Release\winhost.pdb 

C:\T\Nolnterface\bin\ReleaseProduct\waulct.pdb 

C:\Users\admin\Documents\Visual Studio 2008\Projects\DNLDR-no-ip\Release\DNLDR.pdb 
C:\Users\God\Desktop\ThreadScheduler-aapnews-Catroot2\Release\ThreadScheduler.pdb 
C:\Users\hp\Desktop\download\Release\download.pdb 

C:\Users\neeru rana\Desktop\Klogger- 30 may\Klogger- 30 may\Release\Klogger.pdb 
C:\Users\PRED@TOR\Desktop\appinbot_1.2_120308\Build\Win32\Release\deleter.pdb 
C:\Users\PRED@TOR\Desktop\MODIFIED PROJECT LAB\admin\Build\Win32\Release\appinclient.pdb 
C:\Users\PRED@TOR\Desktop\MODIFIED PROJECT LAB\FBackup(source code)\FtpBackup - Copy\Release\Backup.pdb 
C:\Users\Yash\Desktop\New folder\HangOver 1.5.7 (Startup) uploader\Release\Http_t.pdb 
C:\wua\Debug\wua.pdb 

C:\wuaucit\Debug\wuaucit.pdb 

D:\december task backup\TRINITY PAYLOAD\Dragonball 1.0.0(WITHOUT DOWNLOAD LINK)\Release\Ron.pdb 
D:\Desktop backup\Copy\appinbot_1.2_120308\Build\Win32\Release\appinclient.pdb 

D:\Desktop backup\Copy\appinbot_1.2_120308\Build\Win32\Release\deleter.pdb 

D:\Documents and Settings\appin\Desktop\backup\Release\ftpback.pdb 

D:\Documents and Settings\appin\Desktop\New_FTP_1\New_FTP_1\Release\HTTP_MyService.pdb 
d:\final exe\check\Release\check.pdb 

d:\May Payload\new keylogger\Flashdance1.0.2\kmail(http) 01.20\Release\kmail.pdb 

D:\Monthly Task\August 2011\USB Prop\Usb Propagator.09-24\nn\Release\nn.pdb 
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D:\Monthly Task\September 2011\HangOver 1.3.2 (Startup)\Release\Http_t.pdb 

D:\new versions\FTPUPLOADER\FTPUPLOADER_NK_1\FtpBackup_source\Release\Backup.pdb 
D:\Projects\Elance\AppInSecurityGroup\FtpBackup\Release\Backup.pdb 
D:\projects\windows\MailPasswordDecryptor\Release\MailPasswordDecryptor.pdb 
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb 
d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb 

D:\Sept 2012\HangOver 1.5.7 (Startup)\HangOver 1.5.7 (Startup)\Release\Http_t.pdb 

D:\Sept 2012\Keylogger\Release\Crveter.pdb 
E:\Data\User\MFC-Projects\KeyLoggerWin32-hostzi\Release\slidebar.pdb 
E:\Data\User\MFC-Projects\KeyLoggerWin32-mktserv\Release\slidebar.pdb 
E:\Data\User\MFC-Projects\KeyLoggerWin32-spectram\Release\slidebar.pdb 
E:\Data\User\MFC-Projects\KeyLoggerWin32-Visor\Release\slidebar.pdb 
E:\Data\User\MFC-Projects\KeyLoggerWin32-zendossier\Release\slidebar.pdb 

e:\Datahelp\KEY\Hancock Kelo 1.1.3(crypted)\keytest\taskmng.pdb 

e:\Datahelp\keytest1\keytest\taskmng.pdb 
E:\Datahelp\SCode\BOT\MATRIX_1.3.3\CLIENT\Build\Win32\Release\appinclient.pdb 
E:\Datahelp\UPLO\HTTP\HTTP_T\17_05_2011\Release\Http_t.pdb 
E:\Datahelp\UPLO\HTTP\HTTP_T\20_05_2011\Release\Http_t.pdb 

E:\Datahelp\UPLO\HTTP\NEW Up For Trinity\RON 2.3.3\Release\Ron.pdb 

E:\Documents\Visual Studio 2005\Projects\EncryptionUtility\EncryptionUtility\obj\Debug\EncryptionUtility.pdb 
E:\June mac paylods\final Klogger-1 june-Fud from eset5.0\Klogger- 30 may\Klogger- 30 may\Release\Klogger.pdb 
E:\June mac paylods\Keylogger backup\final Klogger-1 june-Fud from eset5.0\Klogger- 30 may\Klogger- 30 may\Release\kquant.pdb 
E:\My\lan scanner\Task\HangOver 1.2.2\Release\Http_t.pdb 

E:\New folder\paylod backup\OTHER\Uploder\HangOver 1.5.7 (Startup)\HangOver 1.5.7 (Startup)\Release\Http_t.pdb 
F:\Backup-HP-ABCD-PC\download\Release\download.pdb 

f:\keyloger\KeyLog\keytest1\keytest\taskmng.pdb 
f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb 

F:\Utility\Release\Utility.pdb 

G:\august\13 aug\HangOver 1.5.7 (Startup) uploader\Release\Http_t.pdb 

J:\backup E\SourceCodeBackup\september\aradhana\HangOver 1.5.3 (Startup)\Release\Http_t.pdb 
N:\payloads\Trinity\Uploader\Tourist 2.4.5 (Down Link On Resource) -L(fud norton360internet security)\Release\Ron.pdb 
P:\payloads\new backup feb\SUNDAY\kmail(http) 01.20\kmail(http) 01.20\Release\kmail.pdb 

R:\payloads\ita nagar\Uploader\HangOver 1.5.7 (Startup)\HangOver 1.5.7 (Startup)\Release\Http_t.pdb 

S:\final project backup\task information\task of september\Tourist 2.4.3 (Down Link On Resource) -L\Release\Ron.pdb 
T:\final project backup\complete taskof ad downloader & usb grabber&uploader\New folder\with icon +shortcut link\HangOver 1.5.3 
(Startup)\Release\Http_t.pdb 

T:\final project backup\uploader version backup\fud all av hangover1.5.4\with icon +shortcut link\HangOver 1.5.3 (Startup)\Release\Http_t.pdb 
T:\final project backup\uploader version backup\HangOver 1.5.3 (Startup)\Release\Http_t.pdb 

T:\New folder\with icon +shortcut link\HangOver 1.5.3 (Startup)\Release\Http_t.pdb 

V:\New folder\with icon +shortcut link\HangOver 1.5.3 (Startup)\Release\Http_t.pdb 

Y:\final project backup\UPLODER FTP BASED\New folder\Tron 1.2.1(Ftp n Startup)\Release\Http_t.pdb 

Y:\Http uploader limited account\Http uploader limited account\RON 2.0.0\Release\Ron.pdb 
Y:\Uploader\HTTP\HTTP Babylon 5.1.1\HTTP Babylon 5.1.1\Httpbackup\Release\HttpUploader.pdb 
Y:\Uploader\HTTP\Tourist uplo\Tourist Uplo 2.3.1\Release\Ron.pdb 

Z:\Uploader\HTTP\ron uplo\RON 2.0.0\Release\Ron.pdb 

C:\Documents and Settings\Administrator\Desktop\Main Uploader\ServiceSample.vbp 
C:\Documentation\samples\ServiceSample.vbp 

D:\PROJECT\samples\ServiceSample.vbp 

D:\PROJECT\CMU\ServiceSample.vbp 

C:\Users\HOME\Desktop\Main Uploader\ServiceSample.vbp 

D:\applications\Http downloader(fud)\Project1.vbp 

C:\Documents and Settings\Application\Desktop\smtp\new appin\Project1.vbp 

C:\Users\PC\Desktop\Troj Creators\Common Main Uploader\ServiceSample.vbp 

C:\Users\PC\Desktop\Common Main Uploader\ServiceSample.vbp 
C:\Users\Yash\Desktop\PAYL\advd\projsmkdWn.vbp 
D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\SmkDwnNew(dual)\projsmkdWn.vbp 
C:\Users\Yash\Desktop\SmkDwnNew\projSmkdWn.vbp 

C:\PAYL\PAYL\advd\projsmkdWn.vbp 
D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\Smack6\90\92\AngelPro.vbp 
D:\YASH\PRO\MY\DELIVERED\2012\DEMC\Without_ocx_class\NewCardGameBased\Project1.vbp 
D:\YASH\SOFTs\PRO\MY\DELIVERED\Downloader\tempdwn\Cryp of tempdwn\Project1.vbp 

C:\Documents and Settings\Administrator\Desktop\WORKSTATION\Cryp of tempdwn\Project1.vbp 

C:\Documents and Settings\Administrator\Desktop\Downloader\tempdwn\Cryp of tempdwn\Project1.vbp 
D:\YASH\PRO\MY\DELIVERED\Downloader\tempdwn\Cryp of tempdwn\Project1.vbp 
D:\YASH\PRO\MY\DELIVERED\RAT\Dragon-Eye\De-Mini\New_server\modify\New_LNK\Another_FUD\MCircles.vbp 
D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\12kib\Project1.vbp 

C:\Http downloader(fud)\Project1.vbp 

C:\miNaPro.vbp 
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C:\C\miNaPro.vbp 
D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\NewSmack(sep2012)\miNaPro.vbp 
C:\A\miNaPro.vbp 

C:\ProjNaramGaram.Vbp 
D:\YASH\PRO\MY\DELIVERED\Downloader\tempdwn\tempdwn_hardcoaded(Good)\smackdown4\smack4.2\ProjNaramGaram.vbp 
D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\Smack6\70\ProjNaramGaram.vbp 
C:\Documents and Settings\Administrator\Desktop\NewDw\Soundsman.vbp 
D:\YASH\PRO\MY\DELIVERED\2012\KEYLOGGERS\English Only\new\without_Logfile\ProLocalKilr.vbp 
C:\XxxX\loclKeylr\ProLocalKilr.vbp 

C:\proTymTin.vbp 

C:\Documents and Settings\Micro-soft\Desktop\Keylogger Mozartin\UpdateEx\UpdateEx.vbp 
C:\Documents and Settings\Administrator\Desktop\Kylo\Keylogger Mozartin\UpdateEx\UpdateEx.vbp 
C:\Documents and Settings\Admin\Desktop\Keylogger Code\UpdateEx\UpdateEx.vbp 

C:\Documents and Settings\Admin\Desktop\UpdateEx\UpdateEx\UpdateEx.vbp 

C:\Documents and Settings\Micro-soft\My Documents\BackUp\Keylogger Mozartin\UpdateEx\UpdateEx.vbp 
C:\Documents and Settings\Admin\Desktop\Trojan Code\ServiceSample.vbp 

x.vbp 

C:\Documents and Settings\Administrator\Desktop\Keylogger Mozartin\UpdateEx\UpdateEx.vbp 
D:\Work\UpdateEx\UpdateEx\UpdateEx.vbp 

C:\Documents and Settings\Admin\Desktop\Keylogger UpdateEx\UpdateEx\UpdateEx.vbp 
C:\pranVacrhanpr.vbp 
D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\Smack6\70\81\pranVacrhanpr.vbp 
C:\new_smackdown8\pranVacrhanpr.vbp 
D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\SmkDwnNew(dual)\14-8\vampro.vbp 
C:\GroundPlayer.vbp 

D:\YASH\PRO\MY\DELIVERED\2012\DEMC\GroundPlayer.vbp 
D:\YASH\SOFTs\PRO\MY\DELIVERED\UPLOADERS\New_upl\bkup_nonObfus\plain\Project1.vbp 
C:\Documents and Settings\Administrator\Desktop\New_server\modify\Calculator.vbp 
C:\Users\Yash\Desktop\WinSockAPI_Fud1\WinSockAPI_Fud\Project1.vbp 


C:\wylgoh\gmbor.vbp 

r.vbp 

C:\Documents and Settings\Administrator\Desktop\SlayerUD\New_server\Project1.vbp 
Sod cieteesesM cnsrcasigeituaccthoetvensitesieeseitsencee vbp 


C:\H\Horiginal\Project1.vbp 

C:\cameraman.vbp 

C:\SimpleTCPChat.vbp 

D:\YASH\PRO\MY\DELIVERED\2012\UPLOADER\BOTH\Project1.vbp 

C:\Documents and Settings\Administrator\Desktop\HOG_ver3\Client\BkUPs\withoutArrayBkup\withoutArrayBkup(with 
WMI)\ServerZ\Server.vbp 

D:\YASH\PRO\MY\DELIVERED\2012\sdsdasdwasdasdasdasdasd\RAT_pramala\Project1.vbp 
E:\MY\DELIVERED\2012\DOWNLOADERS\compiled\snaperCompressVb\bkups\Serveritan\Project1.vbp 

C:\Documents and Settings\Administrator\Desktop\WORKSTATION\tempdwn_hardcoaded(Good)\wit_LNK_without_office\PaintBrush.vbp 
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accOunts.gOOgle.cOm.srccail.com 
account.istpumpenunddosiertechnik.de.continuelogs.info 
accounts.facbook.com.continuelogs.info 
accounts.yandex.ru.continuelogs.info 
accounts.ymail.com.mailcache.info 
accounts.you-tube.com.analogwiz.org 
accounts.yutube.com.continuelogs.info 
activetalk.org 

add-on-update.com 
addon-updates.com 

addoup.com 

adminassistance.net 

advnotifier.com 

alr3ady.net 

alreadytrue.com 

amaxgrp.net 

analogwiz.org 

analysishunter.org 
anoniemvolmacht.com 
appinsecurity.com 
applehostpoint.info 

approvalclub.org 
appworldblackberry.info 
armordesigns.com.webmail-login.php.web-mail-services.info 
autowid.com 

autowidge.org 
avandtotalsecurity.com 
avatarfanclub.com 
bbc-news.com.influxlog.org 
bbupdate.net 

bikefanclub.info 

bkltmc.com 

blogpublication.org 
bluebird-restaurant.co.uk.infocardiology.biz 
bluecreams.com 

bmcmail.org 

brandsons.net 

braninfall.net 

buildyourinfo.org 

cOmpany4u.net 

cabcardinc.net 
cablecomsolutions.net 
callersview.org 

calling4you.com 

callvoipnow.com 
casinoaffiliatepartners.net 
cellgame.org 

centstat.org 

cheetah4u.net 

chiccounty.net 

chkpoint.info 

chroniclesupport.net 

clamerword.net 

clienttreasury.net 
cloudone-opsource.com 
cmegroups.net 

cmxgrp.net 

cobrapub.com 

codetesters.org 

com-mailservice.com 
competitveedge.org 

config-login.com 

connectopen.info 

continuelogs.info 
coolhostingwebspace.com 
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cpbatch.org 
cppblog.net 
cr3ator01.net 
crestboard.org 
crowcatcher.net 
crvhostia.net 
cryptoanalysis.net 
crystalrepo.org 
csfserver.com 
cupzon.org 
currentnewsstore.com 
customerpbr.com 
deltaairlines.com.config.services.data.sesion.24s.digitalapp.org.evitalcare.org 
deltadegger.net 
denismoble.info 
devilreturns.com 
devinmartin.net 
dexlab.info 
digitalapp.org 
digitooldeals.net 
divinepower.info 
doc.gmail.com-callgate-6.65.2.0-rms-6.65.2.0- 
attachment.view.folderid.2messageid.ndi3n6rrgwnuefhoqwxgxdxmampattachmentid.20121206125116.5755maild0aa.evitalcare.org 
docsforum.info 
dosendit.com 
downdossiersup.net 
downfilesup.com 
downtimesupport.com 
easternsoft.org 
easyhost-ing.com 
easyslidesharing.net 
educatediary.org 
elementspro.org 
endemol.com.mailcache.info 
enetebookstore.com 
enlighten-energy.org 
esnucleus.org 
espressoday.org 
evitalcare.org 
evolvingdesk.org 
extrememachine.org 
ezservicecenter.org 
ezxen.org 
ezyvalue.net 
f0Odlover.info 
facebook.comaccountsserviceloginservicemail2.serviceaccountloginservicemail.info 
fapize.com 
fasttrackagent.net 
fb-time.net 
file-easy.net 
filesassociate.net 
filesconnect.info 
filesforum.net 
fileshreader.net 
filetrusty.net 
fiservtech.org 
fistoffury.net 
fitnessapproval.org 
follow-ship.com 
fonografia.pl 
footwallfanclub.com 
forest-fire.net 
foxypredators.com 
frameworkup.org 
ftp.alr3ady.net 
ftp.braninfall.net 
ftp.currentnewsstore.com 
ftp.devilreturns.com 
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ftp.forest-fire.net 

ftp.global-internet.info 
ftp.kungfu-panda.info 

ftp.matrixfanclub.net 

ftp.net4speed.net 

ftp.nvidiaupdate.net 

ftp.r3gistration.net 

ftp.s3rvic3s.net 

fuzzyfile.net 

gadgetscorner.org 

gamezoneall.com 

gauzpie.com 

geonet.org.sockzon.org 
get.adobe.flash.softmini.net 

global-blog.net 

global-internet.info 

gnuvisor.com 

go-jobs.net 
google.accountservice.adminassistance.net 
google.com.accountsserviceloginservice.info 
google.com.accountsserviceloginservicemaileng.serviceaccountloginservicemail.info 
google.com.acount.database.updates.services.web-mail-services.info 
google.comaccountsserviceloginservicemailen.serviceaccountloginservicemail.info 
groupskm.info 

gxongame.info 

h3helnsuppOort.com 

hangoutgroups.net 

hangoutshop.net 
hangovergroup.com.coolservice.continuelogs.info 
hardwaregeeks.eu 

heavenaffiliates.info 

help-e.net 

herbco.document.digitalapp.org 
heritage-society.com 

hifisure.org 

hintover.com 

hostmypc.net 

host-stuff.net 

hotbookspot.info 
hotupdates.com.sockzon.org 
hycoxcable.com 

hycoxweb.org 

i-dim.net 

idsconline.net 

imagebar.org 

influxlog.org 

infocardiology.biz 

inforguide.org 

infoteller.org 

infraswap.org 

innovatorspool.org 
internet-security-suite-review.toptenreviews.com.avandtotalsecurity.com 
internet-security-suite-review.toptenreviews.com.infocardiology.biz 
islamic-teacher.org 

itechtoys.org 

jasminjorden.com 

jerrycoper.org 

joyfulhalloween.com 

joymailserver.org 

keepawayfromfire.com 

khalistancalling.com 

knight-quest.com 

kungfu-panda.info 

kyzosune.net 
lOgin.facebOok.com.srccail.com 
lOgin.yOutube.accOunts.srccail.com 
lOgin.yahoO.cOm.srccail.com 

leicesterhigh.eu 
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lifelogs.org 

linked-in.cOm.srcm-ail.info.srccail.com 
linkedin.com-callgate-6.65.2.0-rms-6.65.2.0- 
attachment.view.folderid.2messageid.ndi3n6rrgwnuefhoqwxgxdxmampattachmentid.20121206125116.5755maild0aa.evitalcare.org 
linkedin.com-uas.login-submit.account.session-full.login-3a5077708027557787984-csrftoken.buildyourinfo.org 
linkspectra.com 

linxauth.org 

livesunshine.info 

liveupdatesonline.net 
login.facebook.com-confg.verify.login.src-ym.mailcache.info 
login.live.com.continuelogs.info 
login.live.com.mailcache.info 
login.oriontelekom.rs.accountsserviceloginservice.info 
login.yahoo.com-config-verify2.woline.info 

logstat.info 

lynberrg.com 

m.ymail.com.continuelogs.info 
m.ymail.com.mailcache.info 

macsol.org 
mail.carmel.us.exchweb.bin.auth.owalogon.asp.serviceaccountloginservicemail.info 
mail.download.influxlog.org 
mail.enrc.com-attachment.download.infocardiology.biz 
mail.google.com-attachments.mail.u-01.infocardiology. biz 
mail.joymailserver.org 

mail.myorderbox.org 
mail.telenor.no-cookieauth.dll-getlogon-reason-0.f ormdir-1-curl-z2fowaz2f.infocardiology.biz 
mail.wildenstein.com.accountsserviceloginservice.info 
mail-attachment.usercontent.evitalcare.org 
mailcache.info 

mailexservices.com 

mailoff.org 

mailservicesupport.org 

mailssh.info 

mailtechsolutions.org 

makecmag.info 

martcas.org 

matewiz.org 

matrixfanclub.net 

maxtourguide.info 

mcosine.org 

megafairclub.org 

megamediafile.com 

mexchange.info 

mgclog.com 

mildstone.net 

mjtag.org 

mktserv.info 

mobiappword.com 

mobileappsupport.com 

mobileappworld.info 

mobilemyown.info 

mobilesoftwaremanagement.info 

mobilessoft.net 

mobiletechspa.org 

mobiltechsoft.org 

mobnetserver.com 

momate.net 

mosglobe.org 

motsoul.org 

mozarting.com 

mozilaupdate.com 

mpale.org 

msfileshare.net 

msoftweb.com 

mujahidtarana.com 

my.screename.aol.com.mjtag.org 
my.screenname.aol.com.accountsserviceloginservice.info 
myscreenname.aol.com.srccail.com 
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myfilestuff.net 
mymail.bezeqint.co.il.accountsserviceloginservice.info 
mymyntra.net 
mysharpens.com 
myvoippOwer.com 
n0Ob4u.com 

naclpro.org 
net4speed.net 
netmosol.info 
neverforget1984.org 
new-agency.us 
newamazingfacts.com 
newsgroupupdate.com 
news-report.sockzon.org 
nexterchk.net 
nitrOrac3.com 

nlsec.org 

novelseller.org 
ns1.activetalk.org 
ns1.adobesoftwareupdates.com 
ns1.alreadytrue.com 
ns1.authserv.org 
ns1.brandsons.net 
ns1.braninfall.net 
ns1.chronicleserv.org 
ns1.competitveedge.org 
ns1.continuelogs.info 
ns1.ctswebup.info 
nsi1.dataconnects.net 
ns1.directionmico.org 
ns1.dmzone.info 
ns1.doc-files.info 
ns1.enetebookstore.com 
ns1.esbasis.info 
ns1.evitalcare.org 
ns1.ezservicecenter.org 
ns1.ezyvalue.net 
ns1.fO0dlover.info 
ns1.forest-fire.net 
ns1.foxypredators.com 
ns1.go-jobs.net 
ns1.gxongame.info 
nsi.hackerscouncil.com 
ns1.host-stuff.net 
ns1.hotbookspot.info 
ns1.infocardiology.biz 
ns1.justdialforu.com 
ns1.kjmailserv.org 
ns1.knowledgepower.info 
ns1.kungfu-panda.info 
ns1.line-web.net 
ns1.link-live.net 
ns1.logserv.org 
nsi.matrixfanclub.net 
ns1.matrixtriology.com 
ns1.maxtourguide.info 
ns1.mjtag.org 
ns1.naclpro.org 
ns1.newamazingfacts.com 
ns1.oscarneves.org 
ns1.osonline.info 
ns1.ozoneparty.info 
ns1.pajerolive.com 
ns1.parrotcatcher.com 
ns1.pickmail.org 
ns1.programmersheavengroup.com 
ns1.racrage.info 
ns1.sOppOrtdesk.com 
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ns1.secuina.net 
ns1.securedocx.info 
ns1.sendsh33p.com 
ns1.servwh.org 
ns1.shopertock.net 
ns1.sockzon.org 
ns1.solraise.info 
ns1.speedaccelator.com 
ns1.sportswomen.biz 
ns1.srccail.com 
ns1.stretcherservices.net 
ns1.supersolus.org 
ns1.thedailynewsheadline.com 
ns1.wearwellgarments.eu 
ns1.woline.info 
ns1.wvsolution.org 
ns1.xmailserv.org 
ns1.zerodayexploits.org 
ns1.zonalship.org 
ns1.zoninfo.org 
ns2.activetalk.org 
ns2.alreadytrue.com 
ns2.brandsons.net 
ns2.braninfall.net 
ns2.chronicleserv.org 
ns2.competitveedge.org 
ns2.continuelogs.info 
ns2.enetebookstore.com 
ns2.esbasis.info 
ns2.evitalcare.org 
ns2.ezservicecenter.org 
ns2.ezyvalue.net 
ns2.fO0Odlover.info 
ns2.forest-fire.net 
ns2.foxypredators.com 
ns2.go-jobs.net 
ns2.gxongame.info 
ns2.hackerscouncil.com 
ns2.host-stuff.net 
ns2.hotbookspot.info 
ns2.infocardiology.biz 
ns2.knowledgepower.info 
ns2.kungfu-panda.info 
ns2.matrixfanclub.net 
ns2.maxtourguide.info 
ns2.mjtag.org 
ns2.naclpro.org 
ns2.newamazingfacts.com 
ns2.pajerolive.com 
ns2.parrotcatcher.com 
ns2.programmersheavengroup.com 
ns2.sOppOrtdesk.com 
ns2.sendsh33p.com 
ns2.serialxbox.org 
ns2.shopertock.net 
ns2.sockzon.org 
ns2.speedaccelator.com 
ns2.sportswomen.biz 
ns2.srccail.com 
ns2.stretcherservices.net 
ns2.supersolus.org 
ns2.thedailynewsheadline.com 
ns2.vlogserv.org 
ns2.wearwellgarments.eu 
ns2.woline.info 
ns2.zerodayexploits.org 
ns2.zonrow.org 
nvidiaupdate.net 
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oliveglobals.com 

omg-pics.net 
onestop-shops.com 
onlinestoreapp.net 
onlinewebmail.net 
opendocs.info 
opendocxsupport.net 
openhostingtalk.com 
opensourceforum.eu 
opnsrc.net 

osservices.info 
outgateway.com 

ozonerim.net 
packetwarden.net 
pajerolive.com 
parrotcatcher.com 
periodtable.eu 
pfv6jygirdo9ptku.mxsvr.net 
pharmamkting.eu 
picasa-album.com 
picasa-album.net 
pics-bucket.net 

piegauz.net 

pizzapalace.org 
plus.goOgle.com.servicelOgin.gxongame.info 
primaaltus.org 
privatemoneyblog.org 
programmersheavengroup.com 
r3gistration.net 
rackitupstorenew.net 
racmania.net 
random123.site11.com 
re-buke.com 

redgolfclub.info 
reliable-global.net 
researcherzone.net 
researchhunter.org 
researchwork.org 
rghsv.com.accountsserviceloginservice.info 
rigidphotography.com 
ritownship.net 

ritualpoint.org 
rockingdevil.net 
sOppOrtdesk.com 

s3rvic3s.net 
saboresnativos.net 
scrm-ail.info 

searchports.info 

secuina.net 
secure.metacafe.com-account-login-token.accountsservicelogin.info 
secure-copy.com 
securedmx.net 
secureplanning.net 
secure-s.com 
secure-solution.net 
securingyourself.net 
sendsh33p.com 
server003.com 

server006.com 
server721-hans.de-nservers.de.continuelogs.info 
serverrr.com 

servetools.org 

serviaccive.com 
serviceaccountloginservicemail.info 
serviceagent.us 
service-secure.net 
servicesonlinesupportinfo.com 
servorder.org 
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sh3llypunk.com 
share-home.net 
shoperstock.com 
shopertock.net 
shopie.net 
shopingcard.net 
shopingcenter.net 
shopping-hub12.com 
shoppingspawn.com 
shreadersupport.net 
signaturedz.com 
skylarzone.org 
slamburger.net 
smackdownfanclub.eu 
smclog.org 
smurfprotection.org 
sochglobal.net 
sockzon.org 
softmini.net 
softservices.org 
softwaresupdates.info 
sonificaton.com 
spedOm00d.com 
speedaccelator.com 
spidercom.info 
spiritlog.org 
sports-interaction.net 
sportswomen.biz 
spstack.org 
srccail.com 
starcrunch.org 
starmobnetservice.net 
starshome.comeze.com 
starsoel.org 
store-fb.net 
stretcherservices.net 
supersolus.org 
supertechnoclub.com 
supportanswer.net 
support-tech.info 
synergyrealsolutions.net 
systemcrack.com 
systemupd.com 
systoolsonline.org 
taraanasongs.com 
test.enciris.eu 
testerspoint.info 
thedailynewsheadline.com 
tmkstore.org 
tollmart.org 
torqspot.org 
tourtime.org 
tow3r.info 
tradeobjective.net 
traderspace.org 
trend-mico.net 
trustworthyinfo.com 
tulip.net.inforguide.org 
undertaker.no-ip.org 
unisafeservice.org 
vall3y.com 
viewerstalk.org 
viragenonline.com 
visordan.org 
vkspoke.org 
vkverbal.org 
voip-e.net 

vstrend.org 
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wagonact.org 

wakeupindian.net 

wearwellgarments.eu 

webjavaupdate.com 
webmail.juno.com.accountsserviceloginservice.info 
webmail.stevens.edu.authenticateservicemail.accountsservicelogin.info 
webmailaccountservicemail.info 

web-mail-services.info 

webmicrosoftupdate.net 

wedzon.org 

we-tour.net 

whostmrage.org 

wizcheck.org 

wizsplit.org 

wolfensteinx.net 

woline.info 

wondersofworld.eu 

workinglab.org 

worksmartplay.com 

workspacecz.net 

worldcitycenter.net 

worldread.net16.net 

worldtourismnews.info 

wreckmove.org 
www.alintiqad-newsonline.blogspot.com.continuelogs.info 
www.analysishunter.org 
www.cytanet.com.accountsserviceloginservice.info 
www.ebox.co.il.accountsserviceloginservice.info 
www.email.t-online.de.accountsserviceloginservice.info 
www.espressoday.org 
www.facebook.com-lOgiin.php.mstlOgiintocpassiive-trrue.contiinue-2fsiignin3factiion.handle.siignin3dtrrue26featture3dprromo.siignin26nl- 
en.us-idtmpl.sso.supersolus.org 
www.facebook.com-lOgin.php.mstlOgiintocpassiive-trrue.contiinue-2fsiignin3factiion.handle.siignin3dtrrue26featture3dprromo.siignin26nl- 
en.us-idtmpl.sso.chronicleserv.org 

www.fonografia.pl 

www.foxypredators.com 
www.goOgle.com-serviicelogiin.autthserv.gxongame. info 
www.google.com.accountsserviceloginservice.info 
www.insing.com.accountsserviceloginservice.info 
www.login.comcast.net.accountsserviceloginservice.info 
www.login.oriontelekom.rs.accountsserviceloginservice.info 
www.login.yahoo.com.accountsserviceloginservice.info 
www.m.youtube.com.accountsserviceloginservice.info 
www.mail.houseofjoyltd.com.accountsserviceloginservice.info 
www.mail.luckltd.com.accountsserviceloginservice.info 
www.mail.rediff.com.accountsserviceloginservice.info 
www.mexchange.info 

www. microsoft.com.chiccounty.net 
www.mlogin.ymail.com.continuelogs.info 
www.mobilesoftwaremanagement.info 
www.my.screenname.aol.com.accountsserviceloginservice.info 
www.mymail.bezeqint.co.il.accountsserviceloginservice.info 
www.produkte.web.de.accountsserviceloginservice.info 
www.secure.metacafe.com-account-login-token.accountsservicelogin.info 
www.server721.han.de.nsserver.de.continuelogs.info 
www.shoperstock.com 

xylotech.org 

ymadmin.net 

you-post.net 
youtube.com.accountsserviceloginservicemail.serviceaccountloginservicemail.info 
youtube.comaccountsserviceloginservicemail2.serviceaccountloginservicemail.info 
zendossier.org 

zerodayexploits.org 

zeusagency.net 

zolipas.info 

zonalon.org 

zonalsky.org 
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Appendix F: IP addresses connected to case 


These are some IP addresses that have at some point been related to the HangOver attack infrastructure. 


Note that IP addresses are non-static, and many of these may now be in use by legitimate users. 


109.203.110.103 
109.235.49.147 
109.235.49.148 
109.235.49.157 
109.235.49.158 
109.235.49.188 
109.235.49.193 
109.235.49.235 
109.235.49.236 
109.235.49.43 
109.235.50.191 
109.235.50.215 
109.235.50.233 
109.235.50.246 
109.235.51.100 
109.235.51.153 
109.235.51.254 
109.235.51.50 
109.235.51.51 
141.101.239.128 
141.8.224.25 
141.8.225.7 
151.237.188.167 
173.199.145.140 
173.224.215.230 
173.233.80.145 
173.233.80.146 
173.233.80.147 
173.233.80.152 
173.233.85.134 
173.236.117.205 
173.236.24.250 
173.236.24.251 
173.236.24.252 
173.236.24.254 
173.236.68.99 
174.120.28.61 
176.31.4.128 
176.31.4.129 
176.31.4.130 
176.31.53.165 
176.31.53.166 
176.31.53.167 
176.31.65.124 
176.31.65.125 
176.31.65.126 
176.31.65.127 
176.31.79.48 


Operation Hangover. Unveiling an Indian Cyberattack Infrastructure 


Appendixes 


176.31.79.49 
176.31.79.50 
176.31.79.51 
176.31.79.56 
176.61.140.119 
178.32.75.192 
178.32.75.193 
178.32.75.194 
178.32.75.195 
178.32.75.196 
178.32.75.197 
178.32.75.198 
178.33.131.34 
178.33.154.49 
178.33.154.51 
178.33.154.52 
178.33.154.53 
178.33.154.54 
178.33.187.74 
178.33.187.75 
178.33.187.76 
178.33.187.77 
178.33.187.78 
178.33.210.30 
178.33.214.194 
184.107.159.18 
184.154.217.250 
184.154.254.51 
184.154.254.54 
184.22.69.109 
184.82.180.105 
188.165.148.68 
188.165.148.70 
188.240.47.145 
188.240.47.220 
188.241.113.27 
188.241.114.160 
188.241.115.127 
188.241.117.163 
188.95.48.99 
192.210.203.181 
199.119.203.102 
199.119.203.103 
199.119.203.85 
199.119.203.86 
199.204.248.107 
199.71.212.164 
199.71.212.183 


209.85.51.152 
213.5.65.20 
213.5.65.223 
213.5.65.24 
213.5.65.31 
213.5.71.20 
213.5.71.24 
213.5.71.26 
213.5.71.27 
213.5.71.28 
213.5.71.31 
216.188.26.235 
216.24.202.100 
216.24.204.243 
216.24.204.245 
31.170.161.136 
31.170.161.56 
31.170.162.23 
31.214.169.86 
31.214.169.87 
31.3.154.110 
31.3.154.111 
31.3.154.113 
31.3.154.114 
31.3.154.115 
31.3.154.116 
31.3.154.117 
31.3.155.106 
37.221.166.15 
37.221.166.36 
37.221.166.42 
37.221.166.47 
37.221.166.48 
37.221.166.49 
37.221.166.53 
37.221.166.55 
37.221.166.58 
37.221.166.61 
37.221.166.7 
37.221.166.8 
37.221.166.9 
37.46.127.75 
37.46.127.76 
37.46.127.77 
37.46.127.78 
37.46.127.79 
37.46.127.81 
37.59.175.130 


37.59.208.94 
37.59.231.161 
46.182.104.70 
46.182.104.72 
46.182.104.83 
46.182.104.85 
46.182.105.40 
46.182.105.41 
46.182.105.43 
46.182.105.60 
46.4.187.60 
46.4.215.38 
5.34.242.129 
5.39.11.72 
5.39.36.56 
5.39.36.57 
5.39.36.58 
5.39.36.59 
5.39.36.60 
5.39.36.61 
5.39.97.57 
5.39.97.58 
64.120.135.137 
65.75.243.251 
66.148.67.20 
69.43.161.179 
69.43.161.180 
72.44.81.88 
74.117.62.170 
74.117.62.181 
75.127.111.100 
75.127.111.143 
75.127.91.118 
75.127.91.16 
78.46.129.193 
78.46.129.194 
78.46.169.168 
79.142.64.177 
79.142.64.178 
79.142.64.181 
79.142.64.183 
79.142.64.32 
79.142.64.34 
79.142.64.36 
79.142.64.37 
79.142.64.39 
79.142.64.47 
79.142.64.49 


79.142.64.97 
79.142.64.98 
79.142.64.99 
79.142.78.101 
79.142.78.102 
79.142.78.107 
79.142.78.109 
79.142.78.110 
79.142.78.111 
79.142.78.112 
79.142.78.120 
79.142.78.76 
79.142.78.79 
79.142.78.80 
79.142.78.83 
8.22.200.44 
8.23.224.90 
88.198.86.168 
88.198.86.172 
89.207.135.120 
89.207.135.239 
89.207.135.242 
89.207.135.61 
89.45.249.129 
89.45.249.136 
89.45.249.139 
89.45.249.208 
89.45.249.41 
91.214.45.187 
94.102.49.199 
94.102.49.201 
94.102.49.202 
94.102.49.203 
94.102.49.204 
94.102.49.55 
94.102.49.56 
94.102.55.80 
94.185.81.151 
94.185.81.152 
94.185.81.153 
95.143.42.195 
95.143.42.217 
95.143.42.218 
95.154.237.11 
95.211.131.144 
96.30.46.216 
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Appendix G: Sample MD5’s 


003ab666a73721404c8dae4613aec613 
007d63bf9eb50c6eE55125c00d32abdb6 
00978e4b81ac577£328d6add75d0890e 
00a0a6071c335£f78cl161cb4a3dcedc435 
00bd9447cl3afbbb7140bef94e24b535 
0128£683e508c807ec76d5092eaaf22c 
01774e34e8a444685b14 99eef3406cd0 
Ola7af987d7b2£f6£355e37c8580cb45a 
Oladea2d3707a343£5a6d149565c7ec5 
01cda08113796a78702843a414f£477c4 
Olcef8eeecbd5f9a4240d3e42c67c3cl 
022894817bc575b94e1919eb1890f873 
023d82950ebec016cd4016d7allbe58d 
O2ae85cb3677af2e5fc256e3b£f7c9408 
02d6519b0330a34b72290845e7ed16ab 
O2f3a2752b9a79F£ccd9V9alda8FEb875c 
032c4698839a52711cb18d6bc712d5b2 
03£265a4e2e69a72874 9abef4e91le72b3 
04293cc69b048fe1326560a457539b0c 
O47albb36elde5f£57e4ab6f4d43ebf72b 
04c2068c132f2c4af31£905F220503d6 
0538 fce0581b9233d34cb6ad61a8F£8139 
05c983831cad96da01a8a78882959d3e 
0680b9e247b2779799d4b32582£566c8 
06b3 99d8bb5ch5aeb4a04eda934ee819F 
06bal0a49c8cea32a51f0bbe8F5073£F1 
O6cbhb£E£745cb60c46e0996928c00e F28F 
06e80767048f 3edefc2dea301924346c 
078d12eb9fc2b1665c0cc3001448b6 9b 
0796f£1096f7456ef37d81a5b846b61b 
O7defd4bda64 6b1f£b058c3abd2e1128e 
0837671230288d68b99866197d7964 6b 
08a3776a2c40e569f645a62fdd2fcac3 
O08f£7ead1513bb921c9cdee334a3708 66 
09947ba52932d10d3c859511a6d31e8Ff 
09cdbd5273640ab23112b719c65e4902 
Oa0bcd8beb77e67a28a325d8d2a00254 
Oacdfd9ef4ed3e3f3d9d01laa5e7cd03 
0ad9583aefedelf£355759e0b674930cb 
0b29cd6£c38c0459507e670e9c4547e0 
Ob38f8784led347cc2Za5ffa51l0alc8f6 
0b88£197b4266e6b78ea0dch9b3496e9 
Obal9063dea4ccae0afcd4208781f16b 
Obbe6cab66d7 6bab4b44874dc3995d8f 
Oc0eb91f318da38e6684bd5250£68378 
Oc2chfbe3c93b3502f9ab60Ff5fall188ad 
Ocace87b377a00df82839cb659fc3adea 
0d466e84b10d6103la62affcfff6e3la 
0d5956dac2ac56f292ee8fal21450973 
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0e11b640253554595acdb7bfbf786b31 
0e3282467dd99Ff3ceeb91llcbhle8aaf5f 
0e9e46d068fea834e12b2226cc8969Ffd 
Of0e3dc18b12c7£8b1b03c73c842212c 
0£47459581f6cd0e1766£1£436922ea5 
0£65c1202881f£5c0e3d512aa64162716 
Of91c1d4ef8b239bb9a94d5546£071dd 
O0f98b7d1e113e5194d62bc8F20720a6b 
O0fbc01c38608d1b5849bf47492148588 
109caa4b475927ddcc36278a32d013f2 
10cOb0f7efbfc92dd13fdd0fd35ca260 
10d8d691lec5c75be5dbab876d39501f1 
111c0d178b3aea6c5aa7217feb0a44a3 
1156011bcb049df9fbd0e6bbd7al1l08aa 
118716061197ebcdae25d330aef97267 
118ed6f8aa3f01428a95aeTba8ef195c 
11b70£93758ea4944 9485503681 8bbe3 
llfaa5da47alf£27de963e7263laaddd2 
11£d24098d64632875d49160dc36bc6b 
12874bf21a56709451f2df221c073£03 
12eec20e7£672370269a9ec53cd744fb 
13107b9455561e680fe8c3b9b1e8bc37 
13197097b07e86516fa018a04aace83c 
135al8c858bfdc5fcb660f15d6elfb147 
13619025a126c56c3097d533414£2230 
1370e187a12403ebf40d43285a23fed8 
13£a45919341257b226f66e08da81cb4 
1465248b7e2d512e426d8c72b42af47b 
1487d1dc13314b£0431792b37ec67e2d 
148 9d2adf£0328b6d7b42170095£966c9 
153ac7591b9326ee63cd36180d39665e 
15552ebdc4ebe5b4d2f71lab2d2e574cb 
157946785 9b48085bdf99b0ala8c1lf86 
158ff697f8e609316e2a9fbe81lllel2a 
15e45c24dbe6034024fcffe4c358556b 
166044bf473£c262ed97283c6e157eb5 
1676ded041404671bfblfcfe9db34dcf 
168f2c46e15c9ce0bab6e698a34ab6769e 
16c11b381cf£35283b879ec1a84£72e4 
16c140fb61b6d22e02aa2b04748b5a34 
16f££5£646196c£29792F5b159d1288b8 
176e2277be875e55ad7211ff5e8df7a5 
1785£f20ad4883fee549f0aec5d20aaca 
17a31d1075ebce41ba48a9efach79d28 
187dc6afab65cbhdd8ee87a58271b56864 
18b9e5fad0f015a0c£792818e9e0591c 
18bc477fal2048fab8ec9¥93d5ffF942c£5 
1972ae990751fa1lb1532aa792bd5c160 
1981cc08cdadc971e28768dc04d98 637 
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199al80d3b5ef78a5fb7 9b0613be8dce 
1a0268890c44ba8afeb6ba7542c314fF4 
lalbc6e47d9dcbf 6e3e7ce22d18b3628 
lblab4e0ddfdb9e97609e78ab26e53f6 
1b5d36f0d2dalfde3eb2b5fcbdc24948 
lb7cbcec59199c595e495916698a2e82d 
1be309eb99298cC128b97649dcc7c9ad6 
1c0e707cec96ac90969a5Ff16d66d1lcb6f 
1¢528591d28efbd485927a053bc8 64 63 
1ce331f£0d11dc20a776759a60fb5b3£5 
1e7b6424fb1a949c39653e00550eb8bb 
1le9e8e724c000C9b9b6677a4d407538c 
1leb7e455580a0e0d6296a00E81631818 
lee4lacc£9a88121dac4a291252b8c49 
lee4bd29caf6aed2f£3c7e263fa025468 
1f£f0cfaa/75576322727b4edf636447e 
2048a4calblbbb13267643a6005cf£92b 
209692f3cd8lecO0cd0dc4fabb5be0f 6b 
2102a18dc20dc6654c03e0e74£36033F 
2180573e7b41£82366a7637£60963b3b 
21a52fedba7d5£4080a8070236f24a81 
2laefle6f22205ed£261a08932728ab0 
21e85f86403a89adb4a255d7017e06d2 
2leb73d0e52££4175d3dc5e58dcficcl 
22588c6920f80398ae54e4 99b657£02d 
227116763d49fae927 7bc0d6b£40735b 
22a3a1d5a89866a81152cd2fc98cdb6e2 
232£616ad81£4411dd1806ee3b8e7553 
239bclb6abb4aechbfbalcldac9a3f81e6 
23a67d6bf£0b727016a071817e99F0305 
2409cf22defe0d8104d41la0e23d4a747 
2479724f3d62c71f£e64a1d2b3535d661 
24874938 f44d34af71c91lc0lla5Sebc45 
24£22d1391377249f21bfec81c3ea031 
25472d552£3439d610a0ea0feea5 9b18 
25505 7ba7T£3bb62abd5963e42e5fd897 
25536cdacdcc7867d4feblfbf7e5e172 
26fe2770b4£0892e0a24d4dddbbfe907 
2729de09c88071bb71b55be98801e2c0 
282ef2ba0ccl 4bb94F363374537d0eat 
28959167d0d01ld5a2cf0dfacebdbf421 
2895a9b0cf22cd45421d634dc0f68db1 
28bbe03a89c491e6b236944423c26997 
28bcbcdc1860108837542004bfe85c97 
2902c48a767753d8eb6a998clcBefcTTE 
292a85212d0313480109382bb6099ebc 
2b62a15a3204fe0130691772871d0c151 
2b874fefbfe31lf05d2af57eb6d03f28bb 
2bfe62815a7547bfa026417650fdf13e 
2c20f8f92F51e41e31f40ab3fb71594b 
20338e8c3e5F28707739e05£7£Fb28ef9 
205454£991 fcef2ab42b899209dd4922 
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2c96c9eabb7a0adf8d361e144a40f fed 
207d9cb08da17a312b64819770098a8e 
20f£4497b3b95c77d6dcld03deec57cb3 
2e€0c004523e7e4640805fb1c863a026Ff 
2e€5d57905d029acb1bc783637291e740 
2£883722b2ff12189a34e520842cdab8 
2£b421a64d130621911la9a4e43c4476F 
2 £db2e334bc32856898c4c5a9b7038bE 
2fea0759ac49e2b9dbf6416b0cab2da9d 
300dbb020f1c0d19c5edfe718316a081 
30881ad041d8£0c61c4b75641£0d9b17 
309648d2fc431lbeaeeae9c9855e9325e 
30a920fF8c9b52aa8c68501F502e128eb 
30067399c176f16ad9dcde54e5a80bb3 
3105b020e2bd43924404bc4e3940191b 
312892649a2be80704F1601451246308 
3166c70b£2£70018e64702673520b333b 
3laceffa4cfb8 63b69d7f£4b808def 84b 
31£024443a4e9767292404de20c5felf 
32c0785edd5c9840f55a8d40e53ed3d9 
32d461d46d30c5d7c3f8d29dd0c8a8c4 
32dd4debed737b£2692796e6dca7d115 
330157068e2530fe214ac4lae7005fcl 
331db34e5f49acle318dda2d01633b43 
337£6884412963289f8ce2fa8849258d 
33840ee0b45f31081393f4462fb7a5b6 
3475cb096dc082eaa92a7825726c7b8d 
34b013d36146ba8 68e4dfa51529c47a4 
34b834d70bfde92f095a9c529b1dcc48 
34d534435579279a80a9caebd0 8bfedf 
350ad4db3bcacf3c1511J7afddf0bd273 
3519293dela4f8f£4b19e6b3669a62a22 
3666f0Ff£389747774c6d8£8338cbhba7b 
36b3£39e7a11636adb29fe36bea875c4 
36b8b6239713de260a3f0f1£d504507£ 
36fe5fed01lc8ed3db85f116edec3904b 
3705d2b2b5f£6a7725837559b14029a98 
37207835e128516fel7af3dacc83a00c 
3738f1d3c3aaf841609fdeea94571714 
37448 £390f10ecc£5745a6204947203a 
376a0e€d56366e4d35cecfcdbd70204b0 
38198bf8e5d1d8b8d8e7101d4380da0e 
3837ab0ffa02dd7£a49d97a15d95c587 
3859£9099d24cc332cfca728211laclf1l 
395e93a669414952f1cObcb6ecc4d6a9a 
398201led41d2e488abb7b2b17a9d6fF3 
399c587050695£f902de4cc145fdcld72 
39f28acTc9a382bbfb28dee5fde7cbbo 
3a0f8a86c7al3714c3fdd5e86dfb3df5 
3a404a2a3e5fbf4cb6bb5afb374730fe4 
3a89f05c09425f03fe74b2242b119cce 
3ae40259e505b5335b72879db4db3df0 
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3b9d65134b6529cf2d8d3cea22fe2fb7 
3befb4b0ef87cd50573116d5780bal 74 
3c03b8436e9937ba3cfel8443b4c73b9 
3c6819d61255f4f£8f6f0adc6ddcd06cf 
3cceb2261e9f9915687738ccfcI9al9e7 
3d0b1c6880e8FF3d£185879a4ce2e0e6 
3d6a8b2df08443c2aa4b6a07a9b55b16 
3dc11072110077584b00003536d0f3ba 
3dd61c872c02ad519b051b62 8eadeddb 
3dfcaf660bc44ef3858ecb8685ec4f4d 
3ed5f£354c9bb92Z257eab81245e6b6416a 
3eddb4a2c427ebba246bha2 fa22dbdc50 
3£13a0b574215659d83ab7£f£d05d9102 
3£411d306d4fc98fb71aa7383bb14d36 
3£4e20175a0492658fb3 6bf4d5cf98C2 
3fcllcd60c9e2bb2 9efe560e485abab9 
3fd48f40ledf2e20flcallf3dae3e2ef 
4008e61496b011e2 9b6343ad88 6e8f 6d 
410c36c79525e257c64e061b4074d7af 
413d6930e304cf24856804 9a3382018a 
416b170d4d72b2 9f39dfc08450e8b406 
41£83c83a9ae8d5558d2823cb00b4842 
423519ae6c222ab54a2e82104fa45d12 
42ca05f0a045ee fe63ed213c97541179 
43b020e7 8d7e36ldeff5aee8572a8e22 
43be51e537ca7e78c83e51e3583b4984 
4410874ef004bcc8de5e2bde0b78 6b6e 
444chc26f£924a2be1b65140932e8f216 
445c9450174a38f£0f2d68389c6094e 6b 
44da2361d5baf33al8352613414b93e4 
451b862c56aae581e0834a48 3eb9c8bd 
45abc3 9bd7d£b34843840a50306fclae 
46110a31le7c579285£f£9c2339c8e9dbf 
46416847e3f92d1lef8237£c29167b9a9 
46ef141£709b2f 6e3445bc2f09dd9C28 
4791790c6fafb6253c4leb6bfeb614ece 
47a8258ec8823f6290af55fcdd39c0b5 
47ccl20cbh27£219be6c91S5affdeI93c58 
48847d66f£9fb659edc7666ec3ca707da 
488c3309c802bc8f17e0840335348077 
48dc0cca7e2be0b30a764858c637bc10 
4921c4c5cdd58ca32c5e957b63cf06cd 
49527c54a80elbab98e0a8a7£7dd0a7Td 
49e8bb0025b8 el 49c4cdf658Ff£F6a6535 
49£35654bf6d78e22b907866d40b3210 
4a06163a8e7b8eeae8 35ca87clab6784 
4a0e5£3c3d70dc287202eb0e342cab632 
4a44b6b6463fa1a8e0515669b10bd338 
4a870caa82chffe8aacb6bed61ffb718F 
4abe3fae79903395a65a95c8af3738eb 
4ad80ff£251e92004f56bb1b531175a49 
4b9f8cb4d87672611fllacbe3e204249 
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4c86c1669a943cle41af898342ecf831 
4d23053ec162eefeb6eb41dcc5081c538 
4d348c8a88ddlef4c135bc8alcl17ed0 
4dal8d7ccle4f1728764c3666bf2b290 
4e8ab2aal8c6607c40f27948d3d85be4 
4£3c4550526c8fel26b14a473d62a0f0 
4f4c777bae424£334785253f0c90149e 
4£634b5ale8065£72e6e4547d016clfe 
4f82a6f5c80943af7 facfcafb7985c8c 
4£8e0066d4e73229685b/Jbea2b5albfa 
4£9ada2c24a1d98769d51341f853751f£ 
506f6dd4eafc9ec69db17988a380a4F5 
50ff8922c4aabdbe3d801b7670a2241b 
51188d746ccalalc8a02401f7bdb6a8aFtf 
5166dc1c8d12be1767e4749a40236169 
519f62c558ebc127d18c3fef60e62349 
51b1477e5cf£2al14901392082d40bd70c 
51ee31£234db61b488647915£f8d7d4c8 
521a56302eaaca9d2flbbbe5600l1llalc 
5433804b7fc4d71c4Jaa2b3da64db77d 
54435e2d3369b4395a336389cf£49a8be 
5494d74fa04f15£63e9352e85a3d46fF£ 
549fed3d2dd640155697def39f7ab819 
555d401e2d41ed00bc9436e3f458b52e 
55a107£b62646248dd7c1878ef93089a9 
55aebca342d894a713c8417523081861 
561f4c6e84F4921a84c75Ffd849172e15 
56b51ffd47adc968ae4 9888 8bFE502c63 
56dbe80fe392d0f7e06875£9b9IFN0be8b 
573b4ca365cd69d46d0951e5d48e6d32 
57a4385cec4951bfbefc0391d43e6f8Ff 
59520255caf6d7d8065b433adla62e0a 
599863bb94e75b13be500710a704a567 
59b15a8c29e329743£c4658ca565a173 
59b1a7184141c9d3e4353274d7£00062 
5a4faa7eeebffaaf9flebf3e3bd8e502 
5a587618aebd8a8afa59de4dle8ea 933 
5af184c69546383d1d6425a5a4502c2a 
5b5fb0e64d9252e88d723e07ec85778a 
5b95e0949fe2aTbb62elcefae40e7de5 
5bc2744a40a333dc089ac04b6d71154e 
5bda43ed20ea6a061eE7332e2646ddc40 
5be0033c7838602Fd014FFfc90fc5af3d 
5c11051760bb8e441e5a3cflbc5al23c 
5cdef8e8edc75dch5acf7bc532dd21fbc 
5d735b1292845266b7414e81lele0274a 
5e1l1c3d9828dd3780eb4£787cflce67c 
5f£3ad37aaad2e6987£04129b50e39538 
5£605246151109044c4b6a155£61a287 
60064b5£8865e28c148231717d015155 
602£66b23b55dd2a22cd84e34c5b8476 
608 4ed4d969b04cde21c55cc87904386 
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616eff3e9a7575ae73821b4668d2801c 
6labb92f0fab605c62dab334c225ef770 
620f234fda7eb6al247c2daba8e5dasg3 
625b40cb0e5e69726e987c57663e3cT7Cc 
62b702a15a762692eda296b0aea270£9 
63238f5cecbh7af9cebI2191F865F8Fd8 
634e4c640c4d7845a88faad5e0838ec0e 
6367c72ef246798c2e8153dd9828elfa 
638cbbd3284e9c1f£048b5d02a83f2dcc 
64400818 9aefa56362b1 6aeb973382ef 
645801262aeb0e33d6calaf5dd323e25 
64787490bc1ldd6ece556722133a0bdb9 
649eb3db415941lee6ec0d849274a825 
64d6b372a14f64ac74db32929de8c84c 
64£19c5776baaea9b6elbfb0a067lafbd 
6521ae44e485f811e9ce25913675161c 
65b£b874a47b3e4920e33ee380060e8F 
65bfeb977c3d9blcc43a0e40f16a67cd 
65c5d9cT£63266db08f£6790c8bd675da 
66203f184e4fdb004c0d24ede01lcete 
6687858f4140f 6d6fa400adb6a9dFf 8309 
674dd075718ac664940eefba9Iff3ddld 
67c064ccb6fbd9I1LHI5ba529fecf71b5fa 
681757936109f7c6e65197fdbb6a8655 
68266b089c951d548899fla716b7e149 
68629ala5c8cC71714b663b744d223f4d 
68b201labb5£4cc4df£b83d820599dd447 
68d£f0f3601a77a4e4d3a3dc58d8591ab 
69278cb9e6630C73573d220455cd5f8cf 
66b666b91284d1da0b35b5584798de7cd 
6bab5e2bcd8cfe224454371c1c592891 
6bc80227468c9eb692d2438774a292c0 
6bdd5fa275£86Ffe88435be26fe7db0d23 
6c74ebc20f08a48340a2f777bb12839a 
6ca0e753c48dab6414cbc83799282905a 
6ca4104cf782a200e7c0abbeel4073e9 
6d2d4f2aef3da83071d6e7£f3a338fc87 
6d692826793356a4083f3fc1lbId1cF16 
6d7a3c843e92abd9f22£707202c63949 
6d84c91le0f46e76c4bb4245d5b1a5118 
6de00ae0bd81 fead3fdf£5c791595c8bd 
6elb6afdddabb6c94efc5e252bb6d70c8ad 
6e3da2f£822627b82a7Cc859be365de4b7 
6eb978e8bbe50Ff8c055209Ff46615b8 99 
6ec2eeab1d4e9b93b2a94F4c05eeb8ca 
6£2b8a0018038039d681c057411a124Ff 
6£49ed067073a6db9e0cdcfleb85d2ab 
6fa31£cC95898b34cc13041b72a215be3 
6fc6214a9ccb6bbled442beda98 fe47e6 
7020947£1110e6583dfdc2clfd0f0a49 
7108b£3948226cbhe0667607c17d£8c12 
710d77de27034d6847c5fc2a790b2£5£ 
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716blc26faa3£674023aae670d3980F2 
716fleb978£6913ab62d78ed60861c74 
71962a63a27eE91626c5£22643da17027 
7244aaal497d16el10ladlbédee05dfe3 
7261d3d4d2cbhd08 f620ebaff827c9lef 
7267841 4ebee4cf£56d129b6c8F£45b£06 
7302c6cbh4c6ed4bb560d2019087434c9 
734e552fe9ffdlffdea3434c62dd2e4b 
736ab06b46a0178lalaf4f4a44ea57da 
74125d375b236059dc144567c9481f2a 
T417af55a9F3c61ldbfef82f06a8 9e9d9 
749c7b656eb765ed2c3e118a809c1a83 
74e571£9accf9Ifelb4eabee0e02a5180 
74faad620de94al4d1cd43285ad15d15 
7520c26b7ab872d44f1f0f1lca9aaab21 
7550db173blbeeb7e6c545b97£2cce02 
75d981ff0b6be08 fb 9b32a3clcda9ddb 
761lacc13816a6840bb5f52fb43df45b1 
76558 68c4a3ed2cd978a84971lb7aab54 
76643813358b9198b6aed437eb7b5210 
770£c76673c3c2daadd54c7aaTbalcc3 
77167a0c6ba3eb7461cdf52529feeeca 
77205ea54ceda3be358d84dblc0d6b2b 
7792ecfccae54102aafc0a8ad2bee7 62 
77ad01d9e96a5a4797485aaeb37e2545 
77bed210299f6d834c35e676ef557b95 
Tie88fallcb0cf44c4691c04742d1b13 
78b754304b0998ba58c54a4d0cb7c81d 
78b8006cc9fcb6ca45f8e7c8300e39dee 
792 6abf8d804792985898080542a42a7 
794£8d94e4dc849b6276e024e1d18be7 
79861lcc8fa3860c3e91cdb591d8bad44 
799b33f9a5faeld29cfd66378cb6dc790 
79£3b5230012e5dde7657292f7e7d5bd 
Ta0£03c202c719994cbh£0b62c1859e5c 
Jal0c2cO0581d01f3d4f8101bbf6468b1 
Ta54a65cae902669cdeca4ec4b262d4c 
Jaeda30a2824ab86717cd3f6f09f5adc 
7675646902fdb9e212d59539c1£4875a 
7Tbh9cc2Zaabe2dd1l3eec37f1fcb4a74ea6 
7c037c6d89ed05fb264d8fe0acd795£fd2 
7d42db873cae7b2ee156766eE9838808c 
7de3b3fbelae69dcad2e45bf7 9bdac93 
7e€74334c1495a3f£6e195ce590c7d42e5 
7e9632a2aff9I972Z5674ef 400fF45F7c22 
7edab76693800fd1617ba23c7ab6aad88 
7£11ec3504cb4564ffadfae4807aldcc 
7£48ebd87fda0840dc749a3064361b9c 
7£6247bad5eb67e7 8b3c8Fe92F50573a5 
T£7b2ade0eb1496e3cfFf2fa7de5dc591 
7£d31b£24537a50a0057dbd4781d2651 
7£e7e4cd95507c6633b5427d077d84c9 
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8017684a46d91£59e7316594c877911d 
80fbeba3da682570c4db0482cd61b27d 
8172e9dcb3b0673cd673780£1024d07£ 
81l7efec9c221Jafed5dec94fcd127d5el 
81¢33d5c2d1d71d2639283be169ad235 
8le8be75a7£F2£368aa8eT7caf001ld72bd 
81f£84b1bdf6337ab6e9cb67be2f51c50e0 
82837a05f8e000245f06c35e9ddc3040 
828ee96b1063ac21a0 6b9f4d84bf56a2 
82ac6a24d33c10630c65168e69d02b69 
82bbal97bc3flalelf0aeObaldel6565 
82023a939a34e4b2F9fa693306c494F1 
82c2b9226f£7cb27cd12e573116b6041 
832b368e612fe35f46ba2281e751a4lc 
8386891ad94d249454b8c27130d34858 
8390e6ee81le0e47£al1320a24238c63c 
83e591133ddd23ce56eb5cba8e56fbc0 
83ff5bfe47959ec925e3180c3£0d32d6 
8459fa25b7d93ef2£687eb0901bc94b0 
8487320cec6a5bbc669b5a57c£f0e9be6 
84a2b843578c883a3Ffa59597TC14c£709 
859820011b21e57de55c22dabd227f11 
85ce84970182be282436317ebc310c8e 
862becc13747aafba8bfd755869251bb 
87693d2559e369472£de254c1b410904 
88£a9428b49618fF8a8cda80fbd10890a 
89239987£3675eb034a0fecebcbh1l0ffb 
89294c5eadeebfebbd208840344ae450 
892cc671440a3abc394ce0d79fFfc30cb6d 
892e61053866e22649c0d31d6ae81165 
894ec003921f19alal525a6e8102d75a 
897414bdb9c7T5edachl6cc55c6defd4a 
899a85c0428dcaa82bb60echb80059e2 6b 
89d9851c162b98db2cTa2Zb4fb6a841b2a 
8a4f£2b2316a7d8d1938431477febf096 
8a8b5aalde0dc301ec2732b63ab34c80 
8b1a208216613b£0b931252a98d5e2b8 
8b73£fc88cc33al2a5de219aa511c7326 
8ba4dadc9f8F10b3£f181b59b8a254e95 
8c64d4066b3da0 6f 9b21e3ad3efb9b6ba 
8d3290b7d1010d05ad6261b670d0b3d3 
8d5el8eel1859ebce8cb6db62ec936059a 
8da3f87aeb1463fb5b513ecbd71e908c 
8dad164966fb17c3cl1l£3e068cC73080e0 
8dbb459c3910d4ffe40e918164c5ba40 
8e2a0ac8b32b01031d8671cae9b31le6d 
8e2b6b530482822dc3b88d789fdc59FfF44 
8e42b958 6£95d5cfe9f3fca435cbh46a2 
8e634f698lad0aecea9d8365162d2cefe 
8e861c37a592b136c£88ef71£7686d0a 
8eacl88d2818dd22b857b9cffac50c12 
8ed7£7££05FfeC0c29874b738a7099a4eeN 
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8£9b63d93cd11598aecd3a3602547e8Ff 
8£b39778c26£47d6e6596145dd650f69 
901llade473efc49Ff21985b6eb43b94ce 
9073b3db88720a555ac511956allabf4 
915028829c8d64ad875c95cc916700ce 
931bbc925f3547aabedb4 44 9d4cbhchd8 
9326e0362bfed701e7324e5f2abc88e0 
933ad5988866cldab72848b6b107ffad 
93783861lbb2e2034202ddlela25ac8ee 
93df0d4c4e2f3e24ea67e092e705e3b9 
9473eeaa0el25c3ea0b4965elc04f1l7c 
95c1c18003006c72d80e9e80ealde4a8 
95d2e0f 6ebf675069b656857eb2 38399 
961d6de08e0417b11c40e93940Fc0918 
963fbcdaec6b6a5fcd5664e932fa06f4d 
9658c3539c3£83447301c5bfdb1l0e3f2 
9678089aacaf3e147e50662c82c11d19 
96a31d4e71£35be5d4bd53b1£935e386 
96bce5c2bbbbdd33b305697ec57e7c50 
96c0f2e8bd66759ea74fecc8843a8 981 
971c7£049£65a42881695e4 9f95de803 
972a0334c22cc119793c262079cf5e0e 
97a2dca830a582b2cadd7 98e26a01419 
97bde23ae78ddabc3b6a0a46a4e5bl fae 
98ce593bfaeddbbbe056007525032e0d 
990b640a93cEfeb65f646d6584fF82a4d7 
9911f5b52f0177e26e3fd0a671b£370e 
994c26013a352f808b8 6e95ab8e3fcce 
9a09ae4973a9C754832d0a43fe0bad3e 
9a20f6f4cddeabc97ed46aee05ac7a50 
9Yac6e3de69e75190862a94cC94c193d2c 
Yaf86aea0df8e24bcab98bbed816e507 
9b6305ee30004cC72076e10b81c0847£b 
9bcb2 94ecfhebff744e2a50b3£7099e6 
9ca4b7fae929a361c383cc9Id5bbe2edb 
9cbh05c69ddfd3d0c66b070felfde554a 
9cc0d13fe3f0196d63e11F35480a1f01 
9d4d45ce7bcf796cdfcf03c554c465fa 
9d4e156235a41240fce7b240610109d8 
9d724c66844d52397816259abdf58cea 
9095993 9bbf20bd582fc70£9e7b3ale8 
9de74a6b0 98580097 66e5b9de510a7 64 
9e05d3£072469093542afddb1lc2e874e 
9e3611e55Ff892cd58e2759F £482b6b54 
9e5540383f78652al7b8efb7£454bc7c 
9e60d7b0154 94 9ebca8edd579db43949 
9Yec2c49fd9dlald8bea263b399e047af 
9ecdcbh9562e11d975479c0c83edf484d 
9Yece2dfbc4e36d05e6b5e07236122dcc 
9Yedc36bd2b0b7d81fb1a7953309d2b52 
9ef0cd655f1095ccfd591lbadc7e8c5bd 
9ef3677054efe5ffc30fbbbfe2f833d9 





69 


9Yef3dac0b1l0b3a9Ff30e3833aacIc09Ic8 
9£63120b3b25e1f4b9ea5ad7a6246443 
9£8e4b19167b5429eb0740b9 9dd0 84 6f 
9fab73462e197£fe2263476a4e84eb79 
a017c6c90011a574bc8aa3bbd5756645 
a06fa6cel10b76b2d23d580cc7132fa33 
al0797c2e7c33£9cc2774165ef4152aa 
alcad6b71lab30577ea8e204fab01led47 
al f£8595d6d191dcbhed3d257301869ce9 
a229cdd723b1lbfda03d371d880fbcaf8 
a24c34fd4244f73fc94eaf 6e52b7c350 
a25568a3048cf6b83d72chbeYaaed5ea75 
a25a6£5d63ad340cca94d323fac353ed 
a25d1e14498dd60535c5645ed9f6f488 
a2ed2a5dfc3954a815cf165c2f07dfd6 
a404522912212c4c245c0ddf387adee6 
a487e68a4c7ecllebff428becc64a06c 
a4a2019717Jce5Sa7d7daec8f2elch29f8 
a53aff£4075891c1l7ed9cdbdfccl24ald 
a5452bae7a46923cT5acac2fc4f00df9 
a59b6e79d4b8258ce71328b052del87c 
a5a740ce2f4J7eada46b5cae5facfe848 
a60808be831f8c2eea0flee489db0564 
a6b8dac4827362a2abe6f53545067e8b 
a6cf3£a8109456902649c19686a9dcC64 
a76a4ae87e36dfeebede0d65e86f3440 
a7a223cebe5d89aa2d36864cb096b1b3 
avaf2e83f611e9a774381b72ab448320 
a7b5f£ce4390629f1756eb25901dbe105 
a7£44192b9509d693e887407fla5lae6 
a8caf03b50c424e9639580cdcc28507b 
aadbf8103cec7e5e5280befddl2cle64 
ab32a736abca3d4ed2158b070£9a5875 
abf3f£160a21e44cfd32d956b62b9T7e2c 
ac5b7ac2c177125d192045e0a2ead278 
acce099dddc2538e2c102b72bcf80759 
acde02979b7b04a7645e00375£90f67d 
ad6968de16778610382de7d0d817c6ab 
ad6da049f4c66b317892f13769749add 
ad9c7c4bc74455eb5£d858019fb9aa8Bec 
adc4f82d1f4eedeblca33cd8edf776b0 
addcdlelf20c237ccf3fa5cf7528ce33 
ae4814c615dfcdecad23b36d60833a52 
af2ede825ala82e76f3laelce8bf5ccc 
af8979c31b5656ebfe82a68b2581256e 
afd6cd07cf9607d2 64b1a3b9 9ab04ee6 
b02a522948cbhfle3c7efe874b47530a6 
b0£01a43a4b16036c330f 660f3e1la38a 
b13304be043ab59960aldcd0f6db36ab 
b13cc2e9a40642alc75a96laae69773c 
b19ef8ab9beb6cdl1ff5da7£96c849309 
b2394178d1a0al3a7d38e2d38c353d0e 
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